{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27938", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.689Z", "datePublished": "2026-02-26T01:10:26.985Z", "dateUpdated": "2026-02-26T19:22:46.590Z"}, "containers": {"cna": {"title": "WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression in Release Workflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x"}, {"name": "https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58", "tags": ["x_refsource_MISC"], "url": "https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58"}], "affected": [{"vendor": "wp-graphql", "product": "wp-graphql", "versions": [{"version": "< 2.9.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:10:26.985Z"}, "descriptions": [{"lang": "en", "value": "WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability."}], "source": {"advisory": "GHSA-4q9f-mjxf-rx7x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T19:22:31.745230Z", "id": "CVE-2026-27938", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:22:46.590Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability."}, {"lang": "es", "value": "WPGraphQL proporciona una API GraphQL para sitios de WordPress. Antes de la versi\u00f3n 2.9.1, el repositorio 'wp-graphql/wp-graphql' contiene un flujo de trabajo de GitHub Actions ('release.yml') vulnerable a la inyecci\u00f3n de comandos del sistema operativo mediante el uso directo de '${{ github.event.pull_request.body }}' dentro de un bloque de shell 'run:'. Cuando se fusiona una solicitud de extracci\u00f3n de 'develop' a 'master', el cuerpo de la PR se inyecta textualmente en un comando de shell, lo que permite la ejecuci\u00f3n arbitraria de comandos en el ejecutor de Actions. La versi\u00f3n 2.9.1 contiene una soluci\u00f3n para la vulnerabilidad."}], "id": "CVE-2026-27938", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:21.960", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58"}, {"source": "security-advisories@github.com", "url": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "matching"}]}, "original": {"product": "wp-graphql", "source": "cna", "vendor": "wp-graphql"}, "product": "wpgraphql", "vendor": "wpgraphql"}], "analysis": {"en": {"generated_at": "2026-04-17T14:32:51.592761+00:00", "value": {"mitigation_remediation": ["Upgrade the WPGraphQL repository to version 2.9.1 or later, which removes the vulnerable expression from the release.yml workflow.", "Alter the release.yml workflow to sanitize or delete any use of ${ github.event.pull_request.body } before passing it to shell commands.", "Audit existing and newly created GitHub Actions workflows for similar unsanitized expressions and apply appropriate input validation or escaping to prevent future injection vulnerabilities."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution via Command Injection on GitHub Actions runner"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the wp-graphql/wp-graphql repository before version 2.9.1. Any WordPress site using WPGraphQL that relies on the existing GitHub Actions release workflow and has not applied the 2.9.1 update is affected.", "description_and_impact": "A flaw in the WPGraphQL release workflow permits the content of a pull request body to be inserted directly into a shell command. This results in OS command injection, allowing an attacker to execute arbitrary commands on the Actions runner when a pull request from develop to master is merged. The outcome is a full compromise of the Actions runner and, by extension, the potentially sensitive environment in which the workflow runs.", "risk_and_exploitability": "The CVSS score of 7.7 indicates high severity, yet the EPSS score is under 1% and the flaw is not listed in the CISA KEV catalog, suggesting a low to moderate exploitation probability. The likely attack vector involves an attacker submitting a crafted pull request to the develop branch that merges into master, thereby injecting malicious code into the release workflow. Once the merge occurs, the Actions runner executes the unsanitized payload, resulting in arbitrary command execution. This scenario would require the attacker to have sufficient privilege to submit pull requests. The overall risk reflects a significant potential impact balanced against a relatively low exploitation likelihood."}}}}, "created": "2026-02-26T13:10:07.798587+00:00", "updated": "2026-04-17T14:45:21.022440+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpgraphql", "wpgraphql$PRODUCT$wpgraphql"]}