Cyber Resilience

CVE-2026-27938

HighRCE

Published: 26 February 2026

Published
26 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0004 13.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27938 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-3 (Configuration Change Control).

Deeper analysis

CVE-2026-27938 is an OS command injection vulnerability (CWE-78) in the GitHub Actions workflow file `release.yml` within the `wp-graphql/wp-graphql` repository. WPGraphQL is a plugin that provides a GraphQL API for WordPress sites. The issue affects versions prior to 2.9.1, where the workflow directly incorporates `${{ github.event.pull_request.body }}` into a `run:` shell block without sanitization.

The vulnerability can be exploited by an attacker with low privileges (PR:L) who submits a pull request from the `develop` branch to `master` containing malicious payload in the PR body. Exploitation requires a reviewer to merge the pull request (UI:R), at which point the PR body is injected verbatim into a shell command executed on the GitHub Actions runner. Successful exploitation enables arbitrary command execution on the runner, achieving high confidentiality and integrity impacts with a changed scope (CVSS 7.7).

Version 2.9.1 of WPGraphQL resolves the vulnerability. Additional details are available in the GitHub security advisory at https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x and the fixing commit at https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58.

EU & UK References

Vulnerability details

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a…

more

pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

OS command injection in release.yml workflow enables arbitrary shell command execution on Actions runner (T1059) and directly facilitates supply chain compromise of released WPGraphQL plugin artifacts (T1195.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-52626Shared CWE-78
CVE-2025-60962Shared CWE-78
CVE-2025-23316Shared CWE-78
CVE-2026-30880Shared CWE-78
CVE-2025-64124Shared CWE-78
CVE-2024-58274Shared CWE-78
CVE-2026-34188Shared CWE-78
CVE-2026-33613Shared CWE-78
CVE-2025-0680Shared CWE-78
CVE-2026-5965Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of untrusted inputs such as GitHub pull request bodies before incorporation into shell commands, directly preventing the OS command injection vulnerability in the release.yml workflow.

prevent

Establishes configuration change control processes to review, test, and approve modifications to GitHub Actions workflows, helping identify and remediate insecure practices like direct PR body injection.

prevent

Mandates developer configuration management to maintain secure baselines and control changes to CI/CD artifacts like release.yml, preventing introduction or persistence of command injection flaws.

References