In DPL3 before 3.3.6, a ReDOS vulnerability exists.
For users of 1.35, no fixed version is unfortunately available (only supports 1.36/1.37).
https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-8f24-q75c-jhf4 has been published.
Users of 1.35 should Set $wgDplSettings['functionalRichness'] = 0;
Please add to the extension supplemental announcement