The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are
"[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub."
Those advisories are:
These vulnerabilities may be exploitable on some CiviCRM sites. This security release includes a backport to fix the specific issues -- without making any other changes to the jQuery version.
CiviCRM version 5.28.0 and earlier
CiviCRM version 5.28.1 and 5.27.5 ESR
Upgrade to the latest version of CiviCRM
Rich Lott of Artfulrobot for reporting the issue
Seamus Lee of CiviCRM Core Team for fixing the issue