High severity7.7NVD Advisory· Published Feb 26, 2026· Updated Apr 15, 2026
CVE-2026-27938
CVE-2026-27938
Description
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow (release.yml) vulnerable to OS command injection through direct use of ${{ github.event.pull_request.body }} inside a run: shell block. When a pull request from develop to master is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: < 2.9.1
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.