CVE-2026-27938

Summary

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow (release.yml) vulnerable to OS command injection through direct use of ${{ github.event.pull_request.body }} inside a run: shell block. When a pull request from develop to master is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.

Affected Software

VendorProductVersion RangeStatus
wp-graphqlwp-graphql< 2.9.1affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References