CVE-2026-49342
YARD static cache reads raw traversal paths before router sanitization
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as `/../yard-cache-secret.html` is joined against that root and can return a readable sibling `.html` file outside the intended static tree. Version 0.9.44 patches the issue.
| CWE | CWE-22 |
| Vendor | lsegal |
| Product | yard |
| Published | Jun 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for lsegal yard
Be the first to know when new medium vulnerabilities affecting lsegal yard are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
lsegal / yard
< 0.9.44