Drupal announced that they will release today (Wed July 13th 2016 16:00 UTC) a patch that will fix highly critical remote code execution vulnerabilities in contributed modules. Drupal core is not affected.

The vulnerability is a "PHP Arbitrary Code Execution" and is rated up to 22/25 (based on risk calculation model used by Drupal - details here). The vulnerable modules are used on between 1.000 and 10.000 instances.

If you maintain one or more Drupal websites, review the list of affected contributed modules and apply the patch as soon as possible if you're affected.

Link to the advisory ID: DRUPAL-PSA-2016-001

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key