Drupal has had a bad first half of 2018 regarding security. Following Drupalgeddon 2 and the botnet exploits came a smaller update. This is now followed with a critical vulnerability (SA-CORE-2018-004) that allows remote code execution. The commit showing the made patches to Drupal 8.x is available online: 7bff52b3a15d
The flaw exists in the Drupal core package in all supported versions of Drupal, eg. 7.x and 8.x releases. This vulnerability allows attackers to exploit Drupal powered sites from numerous attack vectors. The end result being the site compromised as remote code can be executed, possibly giving unrestricted control to the hosting environment.
To make matters worse for Drupal security records, the vulnerability is being actively exploited hours after the patch was released by the Drupal core team. Regardless of how well the security team has worked to reveal these, it’s up to the community of users using Drupal to upgrade.
All in all the