yard

RubyGems4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting yardpage 1 of 1

CVE-2017-17042HIGHCVSS 7.5EG 7.5✓ Fixed in 0.9.11
2017-11-28
vulnerable: 0.2.0 ... 0.9.9 (65 versions)
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
CVE-2019-1020001HIGHCVSS 7.5EG 7.5✓ Fixed in 0.9.20
2019-07-29
vulnerable: 0.2.0 ... 0.9.9 (74 versions)
yard before 0.9.20 allows path traversal.
CVE-2024-27285MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.9.36
2024-02-28
vulnerable: 0.2.0 ... 0.9.9 (90 versions)
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "…
CVE-2026-41493HIGHCVSS 7.5EG 7.5✓ Fixed in 0.9.42
2026-05-08
vulnerable: 0.2.0 ... 0.9.9 (96 versions)
YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on th…

Check whether yard is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for yard CVEs against the assets you own.

Start Free Scan →