RubyGems package
yard
pkg:gem/yard
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41493 | Hig | 7.5 | < 0.9.42 | 0.9.42 | May 8, 2026 | YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under cer | |
| CVE-2024-27285 | — | < 0.9.36 | 0.9.36 | Feb 28, 2024 | YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerab | ||
| CVE-2019-1020001 | — | < 0.9.20 | 0.9.20 | Jul 29, 2019 | yard before 0.9.20 allows path traversal. | ||
| CVE-2017-17042 | Hig | 7.5 | < 0.9.11 | 0.9.11 | Nov 28, 2017 | lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files. |
- affected < 0.9.42fixed 0.9.42
YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under cer
- CVE-2024-27285Feb 28, 2024affected < 0.9.36fixed 0.9.36
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerab
- CVE-2019-1020001Jul 29, 2019affected < 0.9.20fixed 0.9.20
yard before 0.9.20 allows path traversal.
- affected < 0.9.11fixed 0.9.11
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.