Vulnerability Description
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454
- https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x
FAQ
What is CVE-2026-27938?
CVE-2026-27938 is a vulnerability with a CVSS score of 7.7 (HIGH). WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injecti...
How severe is CVE-2026-27938?
CVE-2026-27938 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27938?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.