An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.