An issue exists in Joomla! prior to 3.9.21. Lack of escaping in mod_latestactions allows XSS attacks.
joomla joomla\\!