An issue exists in Joomla! prior to 3.9.4. The media form field lacks escaping, leading to XSS.
joomla joomla\\!