- CVE-2024-0742: assertion failure in nsPresContext::UserInputEventsAllowed (Document::SetIsInitialDocument sticky-bit) - CVE-2025-2830: path traversal via malformed attachment filename in multipart message (directory guard in MimePart._fetchAttachment + mimedrft.cpp) - CVE-2025-3909: predictable tempfile path enables JavaScript execution from attachment opened in file:/// context (per-PID tempdir, 0o700) - CVE-2025-3932: tracking links in attachments bypass remote-content blocking (scheme allowlist + FeedMsg http(s) carve-out in AttachmentInfo.isEmpty)