A local file inclusion vulnerability was found in xdc-utils:
"xdg-email: remove attachment handling from mailto
This allows attacker to extract secrets from users:
Please apply the linked patch.
(In reply to Sam James from comment #1)
> Please apply the linked patch.
https://gitlab.freedesktop.org/Mic92/xdg-utils/-/commit/1f199813e0eb0246f63b54e9e154970e609575af, if you feel it's suitable.
Upstream issue seems dead.
So this only affects people who call xdg-email and have Thunderbird as their default mail client, and fail to notice that a file got attached to their message.
This seems pretty unlikely to actually happen to me. I think we should wait for a change to be merged upstream.