An issue exists in Joomla! prior to 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector.
joomla joomla\\!