I don't understand the issue. If I go to https://example.com/mailman//edithtml/tests/listinfo.html?html_code=XSS%20de... (replacing 'example.com' with a real mailman server) I get a response "No such list tests". The query fragment "html_code=XSS%20demo" is apparently ignored. Please explain in more detail what the issue is and the steps to exploit it so I can understand it. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1884752 Title: Brute forcing to match the admin list at www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1884752/+subscriptions