The 10.14.28 patch release addresses a number of issues originally fixed in 10.16.12. These include a security issue with X-Frame-Options not being set on access denied pages + query objects not being correctly deserialized for delayed viewlets.
15 Dec 2021
[PRESIDECMS-2251] No X-Frame-Options header set on accessDenied events
[PRESIDECMS-2249] Delayed viewlets: query object args are not passed correctly
[PRESIDECMS-2244] Email template: view online link is present in view online content