Medium
By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.
The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
Drupal
Drupal recommends users to install the latest version.