The CVE-2019–6340 remote code execution flaw in Drupal 8’s REST API module affects websites that use the Drupal REST API option. This vulnerability occurs when some other web services module is allowed on the server, such as JSON-API in Drupal 8 or REST services in Drupal 7, or when the Drupal 8 core RESTful API Services module is enabled on the site, enabling users to send GET, PATCH, and POST requests to the server. Despite the fact that the PATCH method is disabled, a GET request is enough to cause the code execution flaw. By sending a malicious GET request to the /node/id API endpoint with a serialized payload, an attacker can take over control of the vulnerable Drupal website (command to execute in server).