A newly discovered bug has been assigned the CVE-2019-6340 identifier and is in Drupal core. The bug affects branches 8.5.x and 8.6.x of the CMS, which fix the problem in versions 8.11 and.6.10, respectively. Vulnerable websites have Drupal 8 core RESTful Web Services (rest) module turned on and allow PATCH or POST requests. The vulnerability is possible because some field types fail to properly sanitize data from non-form sources.
Source: https://www.bleepingcomputer.com/news/security/drupal-fixes-highly-critical-vulnerability/