An issue exists in Joomla! 3.9.0 up to and including 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.
joomla joomla\\!