Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-658d-9w1u-q7fh
Vulnerability ID VCID-658d-9w1u-q7fh
Aliases CVE-2026-41493
GHSA-3jfp-46x4-xgfj
Summary Possible arbitrary path traversal and file access via yard server ### Impact A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The original patch in [GHSA-xfhh-rx56-rxcr](https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr) was incorrectly applied. ### Patches Please upgrade to YARD v0.9.42 immediately if you are relying on yard server to host documentation in any untrusted environments without WEBrick and rely on `--docroot`. ### Workarounds For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41493.json
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2026-41493
cvssv4 6.9 https://github.com/lsegal/yard
generic_textual MODERATE https://github.com/lsegal/yard
cvssv4 6.9 https://github.com/lsegal/yard/releases/tag/v0.9.42
generic_textual MODERATE https://github.com/lsegal/yard/releases/tag/v0.9.42
ssvc Track https://github.com/lsegal/yard/releases/tag/v0.9.42
cvssv4 6.9 https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
generic_textual MODERATE https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
ssvc Track https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
cvssv4 6.9 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2026-41493.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2026-41493.yml
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2026-41493
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2026-41493
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-41493
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41493.json
https://api.first.org/data/v1/epss?cve=CVE-2026-41493
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41493
https://github.com/lsegal/yard
https://github.com/lsegal/yard/releases/tag/v0.9.42
https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2026-41493.yml
https://nvd.nist.gov/vuln/detail/CVE-2026-41493
1136076 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136076
2468081 https://bugzilla.redhat.com/show_bug.cgi?id=2468081
GHSA-3jfp-46x4-xgfj https://github.com/advisories/GHSA-3jfp-46x4-xgfj
USN-8394-1 https://usn.ubuntu.com/8394-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41493.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/lsegal/yard
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/lsegal/yard/releases/tag/v0.9.42
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:15:08Z/ Found at https://github.com/lsegal/yard/releases/tag/v0.9.42
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:15:08Z/ Found at https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2026-41493.yml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41493
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.25703
EPSS Score 0.00091
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:14:45.782357+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2026-41493.yml 38.6.0