Skip to main content

YARD EUVDEUVD-2026-38069

| CVE-2026-49342 MEDIUM
Path Traversal (CWE-22)
2026-06-19 GitHub_M GHSA-pxcc-8665-phx8
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Server is network-accessible with no auth required; traversal is mechanically simple (AC:L); only .html files readable limits confidentiality to Low; no integrity or availability impact exists.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 20:16 vuln.today
Analysis Generated
Jun 19, 2026 - 20:16 vuln.today

DescriptionCVE.org

YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static tree. Version 0.9.44 patches the issue.

AnalysisAI

Path traversal in the YARD Ruby documentation server (prior to 0.9.44) allows unauthenticated remote attackers to read arbitrary .html files from directories outside the configured document root by supplying crafted ../-containing request paths such as /../yard-cache-secret.html. The flaw exists because the static cache lookup in StaticCaching#check_static_cache constructs a filesystem path from the raw request.path before the router's own path-sanitization logic runs, enabling traversal to sibling directories. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed YARD server with document_root configured
Delivery
Send HTTP GET with ../ traversal in request path
Exploit
Bypass router sanitization via early static cache lookup
Execution
Resolve traversal against document_root on disk
Impact
Read and exfiltrate sibling .html file outside intended static tree

Vulnerability AssessmentAI

Exploitation YARD must be running as a web server (not used solely as a CLI documentation generator). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N scores 5.3 (Medium), correctly reflecting unauthenticated network access with low attack complexity and a confidentiality-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with HTTP access to a running YARD server sends `GET /../sensitive-docs.html HTTP/1.1`, which the static cache lookup processes before any router-level path cleanup. The code constructs `File.join(document_root, '/../sensitive-docs.html')`, which the OS resolves to a sibling directory of the document root, and YARD reads and returns the contents of that file in the HTTP response. …
Remediation Upgrade YARD to version 0.9.44 or later; this is the vendor-released patch that resolves the path traversal by introducing sanitized path construction in `StaticCaching#cache_path`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy