Targeting both the most recent Mediawiki 1.35 and 1.36 based Wikibase releases, i.e. 1.35.5-wmde3, and 1.36.3-wmde4.
Issues for which fixes are to be included:
T298839: XSS in WDQS query helper
T298871: XSS in WDQS UI result view explore button
Once the Wikibase releases are published, security fixes applied to Wikidata and wikibase.cloud, the relevant issues and tasks can be made public and closed.