CVE-2026-27938

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27938
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.

7.7 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58
https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) WPGraphQL proporciona una API GraphQL para sitios de WordPress. Antes de la versión 2.9.1, el repositorio 'wp-graphql/wp-graphql' contiene un flujo de trabajo de GitHub Actions ('release.yml') vulnerable a la inyección de comandos del sistema operativo mediante el uso directo de '${{ github.event.pull_request.body }}' dentro de un bloque de shell 'run:'. Cuando se fusiona una solicitud de extracción de 'develop' a 'master', el cuerpo de la PR se inyecta textualmente en un comando de shell, lo que permite la ejecución arbitraria de comandos en el ejecutor de Actions. La versión 2.9.1 contiene una solución para la vulnerabilidad.

26 Feb 2026, 02:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-26 02:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-27938

Mitre link : CVE-2026-27938

CVE.ORG link : CVE-2026-27938

JSON object : View

Products Affected

No product.

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')