Description
YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

YARD, a Ruby documentation generator, has a path traversal flaw that allows an unsanitized HTTP request to read any file on the server hosting the yard server. The vulnerability can be triggered by sending specially crafted URLs to the documentation server before version 0.9.42, resulting in exposure of sensitive system files and confidential information. The weakness is a classic directory traversal condition classified as CWE‑22.

Affected Systems

The affected product is lsegal’s YARD documentation tool. Versions earlier than 0.9.42 are vulnerable; the fix was introduced in release 0.9.42. Any deployment that runs a yard server with an unsecured network path is at risk.

Risk and Exploitability

The CVSS score of 6.9 places the condition in the moderate severity range, and because the EPSS score is not available, the likelihood of exploitation cannot be quantified. The flaw is not listed in the CISA KEV catalog, indicating no known widespread exploitation yet. Based on the description, it is inferred that attackers must be able to send HTTP requests to the yard server, which is commonly exposed on the web or internal network. Successful exploitation would grant read access to arbitrary files on the host, potentially enabling further privilege escalation or data exfiltration.

Generated by OpenCVE AI on May 8, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade YARD to version 0.9.42 or later to eliminate the traversal flaw.
  • Restrict network access to the yard server, using firewall rules or a reverse proxy with authentication, to reduce exposure.
  • If upgrading is not immediately possible, disable the HTTP file serving function or move the documentation directory outside the web‑root and enforce strict path validation on any remaining endpoints.

Generated by OpenCVE AI on May 8, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3jfp-46x4-xgfj yard: Possible arbitrary path traversal and file access via yard server
History

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42.
Title yard: Possible arbitrary path traversal and file access via yard server
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:27:41.408Z

Reserved: 2026-04-20T16:14:19.008Z

Link: CVE-2026-41493

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T14:16:33.550

Modified: 2026-05-08T16:02:14.343

Link: CVE-2026-41493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:45:08Z

Weaknesses