When looking at the code of v3.3
special-mail-tags.php because of another issue, I saw a possible XSS injection in the new
elseif ( '_user_agent' == $name ) $output = substr( $_SERVER['HTTP_USER_AGENT'], 0, 254 );
If emails are sent as HTML (default Contact Form 7 setting is plain-text though) and the mail-tag is used, the shortened but unfiltered user agent ends up within the html of the email and can add remote scripts or other content.
More details and background-information about this attack-vector here: