All versions of Drupal have critical security vulnerabilities that lets anyone take complete control over a website.
The issue was resolved in the following versions of Drupal released 28 March 2018:
There is no fix for Drupal 6.x. Drupal 6.x is therefore no longer permitted on webhotels hosted with us, and must be replaced with 7.58 or 8.5.1.
Additionally, as a one-time exception, Drupal 8.3.9 and 8.4.6 have been released as updates for 8.3 and 8.4. Drupal recommends that 8.3 and 8.4 users upgrade to 8.5.1, as 8.3 and 8.4 no longer have security support.
Source: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 (CVE-2018-7600)