Another Highly Critical Remote Code Execution in Drupal (SA-CORE-2018-004)

April 26, 2018

NOTE: These vulnerabilities are already being exploited in the wild. If you have an affected Drupal site, update IMMEDIATELY!


A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. [1]


This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. [1]

This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. [1]


  • Drupal 7.x
  • Drupal 8.x


  • If you are running 7.x, upgrade to Drupal 7.59. [1]
  • If you are running 8.5.x, upgrade to Drupal 8.5.3. [1]
  • If you are running 8.4.x, upgrade to Drupal 8.4.8. ("Drupal 8.4.x is no longer supported and we don't normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.") [1]
  • If you cannot upgrade to the recommended release right away, temporary fixes are available. See the SA-CORE-2018-004 advisory for details. [1]
  • Open Berkeley sites hosted at Pantheon were already patched by the Web Platform Services team on April 25th, 2018. [2] [3]
  • If you operate your own Drupal site (that is not hosted with the Open Berkeley/Pantheon turnkey solution), you must upgrade immediately