The Drupal team has released a patch that they call highly critical that allows an attacker to run arbitrary code on a Drupal web site with no authentication required. All they need to do is know the URL of the web site.
Drupal rates the severity of the flaw a 21 on a 1 to 25 scale.
They said they expect exploits to be developed within hours or days.
From a risk standpoint, for an unauthenticated user to be able to run any arbitrary code on your website, that is about as bad as it gets.
All recent Drupal versions are affected – 6, 7 and 8 and Drupal has created patches for old, unsupported versions.
Details are available here.