It's possible to inject shell characters into mailto:, news:, nntp: IRLs if Thunderbird is used as URL handler.
vulners.com/securityvulns/securityvulns:doc:17606
vulners.com/securityvulns/securityvulns:doc:17607
vulners.com/securityvulns/securityvulns:doc:17612
vulners.com/securityvulns/securityvulns:doc:17615
vulners.com/securityvulns/securityvulns:doc:17662
vulners.com/securityvulns/securityvulns:doc:17663