Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
WPGraphQL: Malicious Code Can Be Run on GitHub Actions Runner
CVE-2026-27938
Summary
A previous version of WPGraphQL's GitHub Actions workflow contained a vulnerability that allowed malicious code to be executed on the Actions runner. This could happen when a pull request was merged from a certain branch. Update to version 2.9.1 or later to fix the issue.
Original title
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command inje...
Original description
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
nvd CVSS3.1
7.7
Vulnerability type
CWE-78
OS Command Injection
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026