Primary

Context

YARD Path Traversal Vulnerability in Documentation Server

Vulnerability

A path traversal vulnerability has been identified in YARD, a Ruby documentation tool, in versions prior to 0.9.42. When using the YARD server to serve documentation, this vulnerability allows unsanitized HTTP requests to access arbitrary files on the host machine under certain conditions. The issue has been patched in version 0.9.42.

Impact

Exploitation of this vulnerability could lead to unauthorized access to arbitrary files on the server hosting the YARD documentation.

Remediation

Users are advised to upgrade to YARD version 0.9.42. For those unable to upgrade, it is possible to sanitize HTTP requests at the web server level. WEBrick can perform this sanitization by default, which can be accessed via 'yard server -s webrick', or through certain rules in the web server configuration.

Added: May 8, 2026, 5:19 PM

Updated: May 8, 2026, 5:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

7.4

remediation

0.0

relevance

7.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

7.4

remediation

0.0

relevance

7.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

YARD Path Traversal Vulnerability in Documentation Server

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating