Description
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as `/../yard-cache-secret.html` is joined against that root and can return a readable sibling `.html` file outside the intended static tree. Version 0.9.44 patches the issue.
Published: 2026-06-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

YARD, a Ruby documentation generator maintained by lsegal, includes a static cache used to serve documentation files. In versions before 0.9.44 the cache lookup reads the raw request path before router sanitization, allowing a crafted traversal string such as /../yard-cache-secret.html to resolve to a sibling HTML file outside the intended static tree. The flaw is a directory traversal issue (CWE-22) that can expose arbitrary configuration or documentation files, resulting in information disclosure.

Affected Systems

Any deployment of YARD older than 0.9.44 that serves static cache content from a configured document root is affected. The vulnerability applies regardless of the specific server or hosting configuration.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and no EPSS rating is available, so the current likelihood of exploitation is undetermined. The issue is not listed in CISA KEV, implying limited known exploitation. Since the flaw is triggered by an unauthenticated HTTP request path before any authorization checks, an attacker can exploit it remotely or locally without privileged access to read sensitive files.

Generated by OpenCVE AI on June 19, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade YARD to version 0.9.44 or newer, which implements the proper path sanitization before cache lookup.
  • Reconfigure the document root so that no critical files are exposed, or move sensitive files outside the static cache directory.
  • If an upgrade is not possible immediately, disable the static cache feature or impose strict path validation before accessing the cache to block traversal attempts.

Generated by OpenCVE AI on June 19, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Lsegal
Lsegal yard
Vendors & Products Lsegal
Lsegal yard

Fri, 19 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as `/../yard-cache-secret.html` is joined against that root and can return a readable sibling `.html` file outside the intended static tree. Version 0.9.44 patches the issue.
Title YARD static cache reads raw traversal paths before router sanitization
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Lsegal Yard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T19:13:59.598Z

Reserved: 2026-05-29T14:35:45.903Z

Link: CVE-2026-49342

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:15:03Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')