Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Server is network-accessible with no auth required; traversal is mechanically simple (AC:L); only .html files readable limits confidentiality to Low; no integrity or availability impact exists.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static tree. Version 0.9.44 patches the issue.
AnalysisAI
Path traversal in the YARD Ruby documentation server (prior to 0.9.44) allows unauthenticated remote attackers to read arbitrary .html files from directories outside the configured document root by supplying crafted ../-containing request paths such as /../yard-cache-secret.html. The flaw exists because the static cache lookup in StaticCaching#check_static_cache constructs a filesystem path from the raw request.path before the router's own path-sanitization logic runs, enabling traversal to sibling directories. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | YARD must be running as a web server (not used solely as a CLI documentation generator). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N scores 5.3 (Medium), correctly reflecting unauthenticated network access with low attack complexity and a confidentiality-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with HTTP access to a running YARD server sends `GET /../sensitive-docs.html HTTP/1.1`, which the static cache lookup processes before any router-level path cleanup. The code constructs `File.join(document_root, '/../sensitive-docs.html')`, which the OS resolves to a sibling directory of the document root, and YARD reads and returns the contents of that file in the HTTP response. … |
| Remediation | Upgrade YARD to version 0.9.44 or later; this is the vendor-released patch that resolves the path traversal by introducing sanitized path construction in `StaticCaching#cache_path`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
YARD is a Ruby Documentation tool. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no auth
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence
yard before 0.9.20 allows path traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38069
GHSA-pxcc-8665-phx8