Where it states:
So if it is that important, 6.1 is totally useless by users of the community version. If upgrading to a 6.1.1 elite version is the only option (besides using an 'unstable' trunk version), PrimeFaces is giving off a very bad signal. I think this would really justify a 6.1-SR (security release) or 6.2 release OR make 6.1.1available to or some different solution.Security Update
We are unable to go into the details however an important fix for security has been included so if you are on 6.1 we strongly suggest updating to 6.1.1 and for users on 6.0, 6.0.19 is the suggested version.
https://github.com/primefaces/primefaces/issues/2375