High severity7.7NVD Advisory· Published Feb 26, 2026· Updated Apr 15, 2026
CVE-2026-27938
CVE-2026-27938
Description
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow (release.yml) vulnerable to OS command injection through direct use of ${{ github.event.pull_request.body }} inside a run: shell block. When a pull request from develop to master is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
3- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)Wordfence Blog · Apr 30, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026