Yes Drupal version 7.x - 3.5 now has a remote command injection vulnerability. Packetstormsecurity has a page on it.
patch to the latest software (May 3rd or newer) to prevent this.
Drupal is a popular Content management System software for websites. The newest version 8 is coming soon. but until then please update and patch.