Vulnerability is critical remote code execution (RCE) flaw in Drupal Core that could “lead to arbitrary PHP code execution in some cases” The flaw resides due to the fact that some field types do not properly sanitize data from non-form sources. If you are using Drupal 8.5.x or earlier, upgrade your website to 8.6.10.11. The vulnerability is only affected if the RESTful Web Services (rest) module is enabled and allows PATCH or POST requests.
Source: https://thehackernews.com/2019/02/hacking-drupal-vulnerability.html