Unrated severityNVD Advisory· Published Jun 19, 2026
YARD static cache reads raw traversal paths before router sanitization
CVE-2026-49342
Description
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static tree. Version 0.9.44 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/lsegal/yard/commit/f78c19f0dd33a407085b4ed181bb60c0aa0078b4mitrex_refsource_MISC
- github.com/lsegal/yard/security/advisories/GHSA-pxcc-8665-phx8mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.