{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-27938","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-02-25T03:11:36.689Z","datePublished":"2026-02-26T01:10:26.985Z","dateUpdated":"2026-02-26T19:22:46.590Z"},"containers":{"cna":{"title":"WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression in Release Workflow","problemTypes":[{"descriptions":[{"cweId":"CWE-78","lang":"en","description":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x","tags":["x_refsource_CONFIRM"],"url":"https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x"},{"name":"https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58","tags":["x_refsource_MISC"],"url":"https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58"}],"affected":[{"vendor":"wp-graphql","product":"wp-graphql","versions":[{"version":"< 2.9.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-02-26T01:10:26.985Z"},"descriptions":[{"lang":"en","value":"WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability."}],"source":{"advisory":"GHSA-4q9f-mjxf-rx7x","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-26T19:22:31.745230Z","id":"CVE-2026-27938","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T19:22:46.590Z"}}]}}