I’m always confused why the energy isn’t just put on pressuring Firefox publicly rather than just sitting in comments being negative and suggesting forks that critically depend on Firefox and can no way continue development without upstream.

You’re going to need to back up your claim otherwise you might as well be lying as there’s no CVE like this I can find nor any public disclosure.

Plex have a bug bounty program and a responsive security team too.

Post your security report.