4 matches found
CVE-2024-27285
CVE-2024-27285 affects YARD, a Ruby documentation generator. The vulnerability lies in the generated frames.html, where inadequate sanitization in the JavaScript of the frames.erb template allowed Cross-Site Scripting (XSS). Public advisories (Debian, Fedora, Ubuntu, NVD) attribute the issue to Y...
CVE-2019-1020001
CVE-2019-1020001 affects yard (Ruby documentation tool) prior to 0.9.20. The path traversal fixes appear across multiple advisories (OSV/Debian/Ubuntu), indicating Arbitrary path traversal and file access via the yard server. The connected docs confirm the affected version range and the nature of...
CVE-2017-17042
CVE-2017-17042 affects the YARD project: the server in YARD before 0.9.11 does not block relative paths starting with ../ in lib/yard/core_ext/file.rb, enabling directory traversal and potential reading of arbitrary files. Affected platforms are evidenced by multiple advisories (Fedora, openSUSE,...
CVE-2026-41493
Summary: CVE-2026-41493 affects the Ruby documentation tool YARD, specifically the yard server. Prior to version 0.9.42, a path traversal vulnerability could allow unsanitized HTTP requests to access arbitrary files on the host running yard server under certain conditions. This was fixed in versi...