QR codes essentially just encode text, as long as you're using a sensible QR code reader and check any URLs before opening them there's minimal risk to scanning a QR code.
Respectfully I think this is a minimal attack vector in this case due to the limited character set of urls. But thanks for the callout, I didn't know there was a name for this sort of attack.
