Five hours after the Drupal team published a security update for the Drupal CMS, hackers have found a way to weaponize the patched vulnerability. The vulnerability is a remote code execution (RCE) bug that affects both Drupal 7.x and 8.x versions. Both flaws are related to how Drupal handles the “#”” character used in its URLs
Source: