Previous work: T285405: Tracking bug for MediaWiki 1.31.16/1.35.4/1.36.2
Tracking bug for next security release, 1.35.5/1.36.3/1.37.1
n.b. T292763 already landed in mw core master and, therefore, has been disclosed.
n.b. T294686 is for Nuke, which is bundled and deployed, but the vulnerability in this task was only on master for a week or so, so it was technically disclosed early, but should likely be mentioned within the release announcement.