VYPR
High severityCISA KEVNVD Advisory· Published Feb 21, 2019· Updated Oct 21, 2025

Drupal core - Highly critical - Remote Code Execution

CVE-2019-6340

Description

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
drupal/corePackagist
>= 8.6.0, < 8.6.108.6.10
drupal/corePackagist
>= 7.0.0, < 7.62.07.62.0
drupal/corePackagist
>= 8.0.0, < 8.5.118.5.11
drupal/drupalPackagist
>= 7.0.0, < 7.62.07.62.0
drupal/drupalPackagist
>= 8.0.0, < 8.5.118.5.11
drupal/drupalPackagist
>= 8.6.0, < 8.6.108.6.10

Affected products

3

Patches

Vulnerability mechanics

References

14

News mentions

1