CVE-2026-27938

Name of the Vulnerable Software and Affected Versions WPGraphQL versions prior to 2.9.1

Description The WPGraphQL software includes a GraphQL API for WordPress sites. A GitHub Actions workflow file (release.yml) in the wp-graphql/wp-graphql repository is susceptible to OS command injection. This occurs through the direct use of ${{ github.event.pull request.body }} within a run: shell block. When a pull request is merged from the develop branch to the master branch, the content of the pull request body is directly inserted into a shell command, potentially enabling arbitrary command execution on the Actions runner.

Recommendations Update to version 2.9.1 or later.