IIRC Mozilla usually categorize internally-found bugs into a few large CVE IDs, grouped by severity, with around ten or so bugs in each. Every advisory gets several CVEs of this kind, for example, <https://www.mozilla.org/en-US/security/advisories/mfsa2026-2...>, <https://www.mozilla.org/en-US/security/advisories/mfsa2026-1...>, <https://www.mozilla.org/en-US/security/advisories/mfsa2026-0...>, etc.