Skip to main content

YARD CVE-2026-41493

| EUVDEUVD-2026-28554 MEDIUM
Path Traversal (CWE-22)
2026-05-08 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 08, 2026 - 14:32 vuln.today
Analysis Generated
May 08, 2026 - 14:32 vuln.today
Patch available
May 08, 2026 - 14:02 EUVD
CVE Published
May 08, 2026 - 13:13 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42.

AnalysisAI

Path traversal vulnerability in YARD prior to version 0.9.42 allows remote attackers to access arbitrary files on a server running yard server with unsanitized HTTP requests when using the --docroot flag. The vulnerability affects the documentation serving functionality and has been patched in version 0.9.42. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

YARD is a Ruby documentation generation and serving tool. The vulnerability exists in the yard server component, which uses HTTP request handling to serve pre-generated documentation files. The root cause is improper input validation of the document_root (--docroot) parameter, classified as CWE-22 (Path Traversal). When yard server processes HTTP requests without proper sanitization, an attacker can craft requests containing path traversal sequences (such as ../ or absolute paths) to bypass intended directory restrictions and access files outside the intended documentation directory. The vulnerability is specific to non-WEBrick server configurations, as WEBrick performs path sanitization by default.

RemediationAI

Upgrade YARD to version 0.9.42 or later immediately. The patched version fixes the path traversal vulnerability in the document_root handling. For users unable to upgrade immediately, two workarounds are available: First, use WEBrick as the server backend by running 'yard server -s webrick', which performs automatic path sanitization on HTTP requests. Second, implement path sanitization at the web server level (e.g., nginx, Apache) by adding rules that reject or neutralize path traversal sequences in HTTP requests. These workarounds mitigate the risk but do not address the underlying code defect; upgrading to 0.9.42 is the definitive fix. The upgrade has minimal side effects, as it is primarily a security fix with only minor UI/UX improvements included in the release.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-41493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy