mailman3 is vulnerable to timing attacks. The vulnerability exists because of the use of basic string equality which allows an attacker to talk directly to the REST API, which by default is bound to localhost.Read More