Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution.
A patch SUPEE-11346 is available at Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section