CVE-2019-6340
HIGHCISA KEVEPSS 100th pctlDescription
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploit Intelligence
Very high risk: more likely to be exploited than 100% of all known CVEs.
Drupal Core Remote Code Execution Vulnerability
In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
Apply updates per vendor instructions.
Remediation due: 2022-04-15
References
- http://www.securityfocus.com/bid/107106
- https://www.drupal.org/sa-core-2019-003
- https://www.exploit-db.com/exploits/46452/
- https://www.exploit-db.com/exploits/46459/
- https://www.exploit-db.com/exploits/46510/
- https://www.synology.com/security/advisory/Synology_SA_19_09
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-11-07.