Vulnerable Library - yard-0.9.43.gem
YARD is a documentation generation tool for the Ruby programming language.
It enables the user to generate consistent, usable documentation that can be
exported to a number of formats very easily, and also supports extending for
custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.9.43.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/yard-0.9.43.gem
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-49342
Vulnerable Library - yard-0.9.43.gem
YARD is a documentation generation tool for the Ruby programming language.
It enables the user to generate consistent, usable documentation that can be
exported to a number of formats very easily, and also supports extending for
custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.9.43.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/yard-0.9.43.gem
Dependency Hierarchy:
- ❌ yard-0.9.43.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as "/../yard-cache-secret.html" is joined against that root and can return a readable sibling ".html" file outside the intended static tree. Version 0.9.44 patches the issue.
Publish Date: 2026-06-19
URL: CVE-2026-49342
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/lsegal/yard/security/advisories/GHSA-7rp6-v89r-xq4h
Release Date: 2026-06-19
Fix Resolution: yard - 0.9.44,https://github.com/lsegal/yard.git - v0.9.44
Step up your Open Source Security Game with Mend here
YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.9.43.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/yard-0.9.43.gem
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - yard-0.9.43.gem
YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.9.43.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/yard-0.9.43.gem
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as "/../yard-cache-secret.html" is joined against that root and can return a readable sibling ".html" file outside the intended static tree. Version 0.9.44 patches the issue.
Publish Date: 2026-06-19
URL: CVE-2026-49342
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/lsegal/yard/security/advisories/GHSA-7rp6-v89r-xq4h
Release Date: 2026-06-19
Fix Resolution: yard - 0.9.44,https://github.com/lsegal/yard.git - v0.9.44
Step up your Open Source Security Game with Mend here