Drupal released security updates to fix the vulnerabilities in jQuery and Symfony libraries which are included in the Drupal core. A remote attacker may send specially crafted HTTP requests to exploit the vulnerabilities.
A successful attack could lead to remote code execution, cross site scripting (XSS) or security restriction bypass on an affected system.
The product vendor has released patches to address the issues.
https://www.drupal.org/sa-core-2019-005
https://www.drupal.org/sa-core-2019-006
https://www.us-cert.gov/ncas/current-activity/2019/04/17/Drupal-Releases-Security-Updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909 (to CVE-2019-10911)