Quote:Drupal patched two critical remote code execution vulnerabilities which would have allowed attackers to exploit Drupal CMS installations with versions prior to 7.60, 8.6.2, and 8.5.8.

The first critical vulnerability resided in Drupal's DefaultMailSystem::mail() mailing component and it leads to RCE when sent emails contain variables which were not sanitized for shell arguments. The second critical security issue patched by Drupal was present in the Contextual Links module which did not sufficiently validate requested contextual links.
"This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links," according to Drupal's SA-CORE-2018-006 security advisory.