Path Traversal Vulnerability in YARD Documentation Tool
CVE-2026-41493

6.9MEDIUM

Key Information:

Vendor

Lsegal

Status
Yard
Vendor
CVE Published:
8 May 2026

What is CVE-2026-41493?

A path traversal vulnerability exists in YARD, a Ruby documentation tool, prior to version 0.9.42. When using the yard server to host documentation, unsanitized HTTP requests can exploit this flaw, granting unauthorized access to sensitive files on the server's machine. This vulnerability emphasizes the importance of sanitizing user input to prevent unauthorized file access.

Affected Version(s)

yard < 0.9.42

References

https://github.com/lsegal/yard/security/advisories/GHSA-3...
x_refsource_CONFIRM
https://github.com/lsegal/yard/releases/tag/v0.9.42
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.