Critical Drupal vulnerability with an active exploit


All owners and admin of Drupal 8 sites: please read: 

According to, there are over 85000 active Drupal sites. Perhaps not all of them are version 8, but could be a significant number. And we can only assume many would have enabled API access or installed modules that make them vulnerable to the latest vulnerability ‘Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003’, as explained on the Drupal Security Advisory:

The vulnerability has been fixed in Drupal 8.6.10 and 8.6.11. 

We advise all to patch as soon as possible to prevent losing your Drupal site.