{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T08:37:45.898","vulnerabilities":[{"cve":{"id":"CVE-2026-27938","sourceIdentifier":"security-advisories@github.com","published":"2026-02-26T02:16:21.960","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability."},{"lang":"es","value":"WPGraphQL proporciona una API GraphQL para sitios de WordPress. Antes de la versión 2.9.1, el repositorio 'wp-graphql/wp-graphql' contiene un flujo de trabajo de GitHub Actions ('release.yml') vulnerable a la inyección de comandos del sistema operativo mediante el uso directo de '${{ github.event.pull_request.body }}' dentro de un bloque de shell 'run:'. Cuando se fusiona una solicitud de extracción de 'develop' a 'master', el cuerpo de la PR se inyecta textualmente en un comando de shell, lo que permite la ejecución arbitraria de comandos en el ejecutor de Actions. La versión 2.9.1 contiene una solución para la vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.3,"impactScore":5.8}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"references":[{"url":"https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58","source":"security-advisories@github.com"},{"url":"https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x","source":"security-advisories@github.com"}]}}]}