Security update: Drupal 8.6.10

Written by Mark Enrega on Thursday, February 21, 2019

Drupal has released version 8.6.10 of its content management system which addresses a highly critical security vulnerability that has been identified by the Drupal Security Team. Updates for 8 contributed modules have also been released to mitigate the same vulnerability.

It has been found that some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A website is only affected by this if one of the following conditions is met:

  • The website has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests; or
  • The website has another web services module enabled (like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7).


To immediately mitigate the vulnerability, all web services modules can be disabled, or configure the hosting server(s) to not allow PUT/PATCH/POST requests to web services resources. To effectively mitigate the vulnerability, all Drupal 8 websites should be updated as soon as possible.


All Drupal 8 websites that are hosted with Enrega have been updated to version 8.6.10, so no further action is required. For more information about the update process, please see our security updates for your website page.


This information has been obtained from the Drupal Security Advisory:

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003