PT-2026-51019 · Lsegal · Yard
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-49342
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as
/../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static tree. Version 0.9.44 patches the issue.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Yard