Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.
The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon (On-site) payment gateway, to correct this you can install the latest version.
Multiple vulnerabilities have been detected in Drupal Core which can allow remote attackers to execute arbitrary code, access sensitive information, and cause cross-site scripting attacks on the targeted systems.
The Tagify module security update helps deal access bypass as an attacker with the permission "access content" can view and reference unpublished terms.
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. To correct this install the recent version of Drupal 9.
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. In order to solve that install the latest Drupal 9 versions.