diff --git a/4.1-Extensions.md b/4.1-Extensions.md
index b98d2b0..de1a8df 100644
--- a/4.1-Extensions.md
+++ b/4.1-Extensions.md
@@ -23,8 +23,6 @@ This list covers privacy and security related extensions only. While we believe
 
 ---
 ### :small_orange_diamond: Extensions (maybe)
-* [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) <sup>✔ [Privacy](https://github.com/gorhill/uMatrix/wiki/Privacy-policy)</sup> | [GitHub](https://github.com/gorhill/uMatrix)
-   - No longer maintained. Everything uMatrix did can be covered by prefs or other extensions: use uBlock Origin for any content blocking. However, uMatrix was very stable. Use it as long as it works for you... except that's risky, because how do you *know* it's working properly?
 * [HTTPS Everywhere](https://addons.mozilla.org/firefox/addon/https-everywhere/) <sup>✔ [Privacy](https://www.eff.org/code/privacy/policy)</sup> | [GitHub](https://github.com/EFForg/https-everywhere)
    - If you're using HTTPS-Only mode (usable since FF83), then this is basically redundant, especially as more of the web turns to secure context
 * [CanvasBlocker](https://addons.mozilla.org/firefox/addon/canvasblocker/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/canvasblocker/privacy/)</sup> | [GitHub](https://github.com/kkapsner/CanvasBlocker)
@@ -55,6 +53,10 @@ These extensions will not mask or alter any data sent or received, but may be us
 ---
 
 ### :small_orange_diamond: Don't Bother...
+* [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) <sup>✔ [Privacy](https://github.com/gorhill/uMatrix/wiki/Privacy-policy)</sup> | [GitHub](https://github.com/gorhill/uMatrix)
+   - No longer maintained, the last commit was April 2020
+   - ⚠️ Contains at least one [unpatched vulnerability](https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc)
+   - Everything uMatrix did can be covered by prefs or other extensions: use uBlock Origin for any content blocking.
 * Cookie extensions
    * ❗️ Functionality for extensions may be missing for clearing IndexedDB, Service Workers cache, or cache **by host**. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy
       * see [1340511](https://bugzilla.mozilla.org/1340511) for progress on this