diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 8a567dc0623eabf0584fa9fb59328358591d2d14..68fc5bae50bb505ad648560ee5fda20f785d5075 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,11 @@
 Drupal 7.xx, xxxx-xx-xx (development version)
 -----------------------
 
+Drupal 7.66, 2019-04-17
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2019-006
+
 Drupal 7.65, 2019-03-20
 -----------------------
 - Fixed security issues:
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 1b5c53408f8a356036bdafd6f0eaf527594dc6ff..908005722ed2c6cc5593f188b9eff36b88c1a3ef 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.65');
+define('VERSION', '7.66');
 
 /**
  * Core API compatibility.
diff --git a/misc/jquery-extend-3.4.0.js b/misc/jquery-extend-3.4.0.js
new file mode 100644
index 0000000000000000000000000000000000000000..975910949968c73d385791d61da47ddf13d06eaf
--- /dev/null
+++ b/misc/jquery-extend-3.4.0.js
@@ -0,0 +1,112 @@
+/**
+ * For jQuery versions less than 3.4.0, this replaces the jQuery.extend
+ * function with the one from jQuery 3.4.0, slightly modified (documented
+ * below) to be compatible with older jQuery versions and browsers.
+ *
+ * This provides the Object.prototype pollution vulnerability fix to Drupal
+ * installations running older jQuery versions, including the versions shipped
+ * with Drupal core and https://www.drupal.org/project/jquery_update.
+ *
+ * @see https://github.com/jquery/jquery/pull/4333
+ */
+
+(function (jQuery) {
+
+// Do not override jQuery.extend() if the jQuery version is already >=3.4.0.
+var versionParts = jQuery.fn.jquery.split('.');
+var majorVersion = parseInt(versionParts[0]);
+var minorVersion = parseInt(versionParts[1]);
+var patchVersion = parseInt(versionParts[2]);
+var isPreReleaseVersion = (patchVersion.toString() !== versionParts[2]);
+if (
+  (majorVersion > 3) ||
+  (majorVersion === 3 && minorVersion > 4) ||
+  (majorVersion === 3 && minorVersion === 4 && patchVersion > 0) ||
+  (majorVersion === 3 && minorVersion === 4 && patchVersion === 0 && !isPreReleaseVersion)
+) {
+  return;
+}
+
+/**
+ * This is almost verbatim copied from jQuery 3.4.0.
+ *
+ * Only two minor changes have been made:
+ * - The call to isFunction() is changed to jQuery.isFunction().
+ * - The two calls to Array.isArray() is changed to jQuery.isArray().
+ *
+ * The above two changes ensure compatibility with all older jQuery versions
+ * (1.4.4 - 3.3.1) and older browser versions (e.g., IE8).
+ */
+jQuery.extend = jQuery.fn.extend = function() {
+  var options, name, src, copy, copyIsArray, clone,
+    target = arguments[ 0 ] || {},
+    i = 1,
+    length = arguments.length,
+    deep = false;
+
+  // Handle a deep copy situation
+  if ( typeof target === "boolean" ) {
+    deep = target;
+
+    // Skip the boolean and the target
+    target = arguments[ i ] || {};
+    i++;
+  }
+
+  // Handle case when target is a string or something (possible in deep copy)
+  if ( typeof target !== "object" && !jQuery.isFunction( target ) ) {
+    target = {};
+  }
+
+  // Extend jQuery itself if only one argument is passed
+  if ( i === length ) {
+    target = this;
+    i--;
+  }
+
+  for ( ; i < length; i++ ) {
+
+    // Only deal with non-null/undefined values
+    if ( ( options = arguments[ i ] ) != null ) {
+
+      // Extend the base object
+      for ( name in options ) {
+        copy = options[ name ];
+
+        // Prevent Object.prototype pollution
+        // Prevent never-ending loop
+        if ( name === "__proto__" || target === copy ) {
+          continue;
+        }
+
+        // Recurse if we're merging plain objects or arrays
+        if ( deep && copy && ( jQuery.isPlainObject( copy ) ||
+          ( copyIsArray = jQuery.isArray( copy ) ) ) ) {
+          src = target[ name ];
+
+          // Ensure proper type for the source value
+          if ( copyIsArray && !jQuery.isArray( src ) ) {
+            clone = [];
+          } else if ( !copyIsArray && !jQuery.isPlainObject( src ) ) {
+            clone = {};
+          } else {
+            clone = src;
+          }
+          copyIsArray = false;
+
+          // Never move original objects, clone them
+          target[ name ] = jQuery.extend( deep, clone, copy );
+
+          // Don't bring in undefined values
+        } else if ( copy !== undefined ) {
+          target[ name ] = copy;
+        }
+      }
+    }
+  }
+
+  // Return the modified object
+  return target;
+};
+
+})(jQuery);
diff --git a/modules/system/system.install b/modules/system/system.install
index 862436429e727b8636fb680bcf8e27552231dc0e..61bc079d7aa43dd8cb16917b4a4e4928fc0ac10c 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -3300,6 +3300,13 @@ function system_update_7081() {
     ->execute();
 }
 
+/**
+ * Add 'jquery-extend-3.4.0.js' to the 'jquery' library.
+ */
+function system_update_7082() {
+  // Empty update to force a rebuild of hook_library() and JS aggregates.
+}
+
 /**
  * @} End of "defgroup updates-7.x-extra".
  * The next series of updates should start at 8000.
diff --git a/modules/system/system.module b/modules/system/system.module
index 53844d878fa4f96d4c7186003d455bb7ffcec591..4ce6b9b99ddc62a5bd8d0e3454befd9a73c05663 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -1182,6 +1182,9 @@ function system_library() {
     'version' => '1.4.4',
     'js' => array(
       'misc/jquery.js' => array('group' => JS_LIBRARY, 'weight' => -20),
+      // This includes a security fix, so assign a weight that makes this load
+      // as soon after jquery.js is loaded as possible.
+      'misc/jquery-extend-3.4.0.js' => array('group' => JS_LIBRARY, 'weight' => -19),
     ),
   );
 
diff --git a/profiles/wcm_base/CHANGELOG.txt b/profiles/wcm_base/CHANGELOG.txt
index 2037d9e3ce11a580168dd34a9fe2dab1c58f4281..71264604842f90332b1a873981d3262bb56fee06 100644
--- a/profiles/wcm_base/CHANGELOG.txt
+++ b/profiles/wcm_base/CHANGELOG.txt
@@ -1,3 +1,9 @@
+WCM Base 7.x-1.14-rc3, 2019-04-14
+---------------------------------
+- WCM Omega:
+  - Added panels layout 11a.
+  - Added margin below breadcrumbs.
+
 WCM Base 7.x-1.14-rc2, 2019-04-04
 ---------------------------------
 - OCIO Media: Added PDF mimetype to document type missing since Panopoly 1.65.
diff --git a/profiles/wcm_base/themes/wcm_omega/css/wcm-omega.normalize.css b/profiles/wcm_base/themes/wcm_omega/css/wcm-omega.normalize.css
old mode 100755
new mode 100644
diff --git a/profiles/wcm_base/themes/wcm_omega/css/wcm-omega.styles.css b/profiles/wcm_base/themes/wcm_omega/css/wcm-omega.styles.css
old mode 100755
new mode 100644
diff --git a/profiles/wcm_base/themes/wcm_omega/package.json b/profiles/wcm_base/themes/wcm_omega/package.json
index 96a9ba24f93f520a184c62d9211305f0f08040f1..d5f4ad693ce103f92934adcb324a8592115da8f0 100644
--- a/profiles/wcm_base/themes/wcm_omega/package.json
+++ b/profiles/wcm_base/themes/wcm_omega/package.json
@@ -6,7 +6,9 @@
   "scripts": {
     "postinstall": "find node_modules -type f -name '*.info' | xargs rm"
   },
-  "dependencies": {},
+  "dependencies": {
+    "node-sass": "^4.11.0"
+  },
   "devDependencies": {
     "breakpoint-sass": "^2.6.1",
     "browser-sync": "^2.9.8",
diff --git a/profiles/wcm_base/themes/wcm_omega/panels/assets/panels-layout-template.ai b/profiles/wcm_base/themes/wcm_omega/panels/assets/panels-layout-template.ai
old mode 100755
new mode 100644
diff --git a/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-11a/wcm-omega-11a.inc b/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-11a/wcm-omega-11a.inc
old mode 100755
new mode 100644
diff --git a/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-11a/wcm-omega-11a.png b/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-11a/wcm-omega-11a.png
old mode 100755
new mode 100644
diff --git a/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-11a/wcm-omega-11a.tpl.php b/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-11a/wcm-omega-11a.tpl.php
old mode 100755
new mode 100644
diff --git a/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-layouts.css b/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-layouts.css
index 4791852b08f07bf592cbd6ffeefbb5408085b8a2..dbcf8b58ba55eb04557fadb6f68f7812729c3a24 100644
--- a/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-layouts.css
+++ b/profiles/wcm_base/themes/wcm_omega/panels/layouts/wcm-omega-layouts.css
@@ -28,7 +28,6 @@
   width: 100%;
 }
 
-
 .column-panel.column-left {
   float: left;
   clear: both;
@@ -38,8 +37,6 @@
   margin-right: 0;
 }
 
-
-
 /* tile rows */
 .tile-panel {
   float: left;
@@ -52,7 +49,6 @@
   margin-right: 0;
 }
 
-
 /* tile rows alternate (division of 5) */
 .tile-5 {
   width: 18%;
@@ -64,7 +60,6 @@
   margin-right: 0;
 }
 
-
 /* exceptions and overrides */
 .wcm-omega-8a .row-1 {
   margin-bottom: 1.5em;
@@ -72,12 +67,19 @@
 
 /* iPad or less */
 @media only screen and (max-width: 759px) {
-  .span2, .span3, .span4, .span6, .span8, .span9, .span10, .tile-5 {
+  .span2,
+  .span3,
+  .span4,
+  .span6,
+  .span8,
+  .span9,
+  .span10,
+  .tile-5 {
     width: 100%;
     float: none;
     margin-right: 0;
-  }  
-  
+  }
+
   .column-panel.column-right {
     margin-top: 30px;
   }
diff --git a/profiles/wcm_base/themes/wcm_omega/sass/base/_breadcrumbs.scss b/profiles/wcm_base/themes/wcm_omega/sass/base/_breadcrumbs.scss
old mode 100755
new mode 100644