Skip to main content

Mailerup

2 CVEs product

Monthly

CVE-2026-13164 HIGH PATCH This Week

Unauthenticated account self-registration in MailerUp before 1.0.1 lets any remote attacker POST to /api/auth/register/ and obtain a working account, even on instances where operators intended registration to be closed, because the RegisterView is wired with Django REST Framework's AllowAny permission and enforces no email verification, CAPTCHA, or admin approval. Once registered, the attacker can read every email stored by the instance, yielding full disclosure of all stored messages. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch (1.0.1) removes the public registration endpoint entirely.

Authentication Bypass Mailerup
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-13163 MEDIUM PATCH This Month

Open redirect in Mailerup's click-tracking endpoint allows remote unauthenticated attackers to redirect victims to arbitrary external domains by supplying a crafted `u` query parameter to `/c/<token>/`. The `_safe_redirect` function blocks only `javascript:` and `data:` schemes without restricting the destination host, and silently swallows `signing.BadSignature` exceptions - making token validation entirely bypassable. No CISA KEV listing or public exploit code has been identified; exploitation requires victim interaction but no attacker authentication against the Mailerup instance.

Open Redirect Mailerup
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthenticated account self-registration in MailerUp before 1.0.1 lets any remote attacker POST to /api/auth/register/ and obtain a working account, even on instances where operators intended registration to be closed, because the RegisterView is wired with Django REST Framework's AllowAny permission and enforces no email verification, CAPTCHA, or admin approval. Once registered, the attacker can read every email stored by the instance, yielding full disclosure of all stored messages. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch (1.0.1) removes the public registration endpoint entirely.

Authentication Bypass Mailerup
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Open redirect in Mailerup's click-tracking endpoint allows remote unauthenticated attackers to redirect victims to arbitrary external domains by supplying a crafted `u` query parameter to `/c/<token>/`. The `_safe_redirect` function blocks only `javascript:` and `data:` schemes without restricting the destination host, and silently swallows `signing.BadSignature` exceptions - making token validation entirely bypassable. No CISA KEV listing or public exploit code has been identified; exploitation requires victim interaction but no attacker authentication against the Mailerup instance.

Open Redirect Mailerup
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy