In certain screens, the Activity "Subject" field was not properly escaped to prevent cross site scripting.
CiviCRM version 5.28.0 and earlier
CiviCRM version 5.28.1 and 5.27.5 ESR
Upgrade to the latest version of CiviCRM
Patrick Figel of Greenpeace CCE for reporting the issue
Seamus Lee of CiviCRM Core Team for fixing the issue