Read the official Contao announcements.
Contao 3.5.15 is available
by Leo Feyer – Announcements
Contao version 3.5.15 is available. The bugfix release fixes an XSS security vulnerability in the mediaelement.js plugin.
If you cannot update Contao, you should at least update the mediaelement.js plugin, which is located in the
assets/jquery/mediaelement folder. The security vulnerability has been fixed in version 2.21.1.