Ugh I hate updating Drupal. It's so fraught... after backing up you're supposed to:
Delete all files except the Sites folder and any files such as ".htaccess" and "robots.txt" that have been customized. (This assumes any contributed modules, custom themes etc. That you use are in the sites directory)
I cringe when I hit that delete key.
Did it last night though since it seems to be a very serious vulnerability.