Vulnerable Library - yard-0.8.7.6.gem
YARD is a documentation generation tool for the Ruby programming language.
It enables the user to generate consistent, usable documentation that can be
exported to a number of formats very easily, and also supports extending for
custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.8.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/yard-0.8.7.6.gem
Found in HEAD commit: 9461b71edb4933319230643eed039858109d9238
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (yard version) |
Remediation Possible** |
| CVE-2019-1020001 |
 High |
7.5 |
yard-0.8.7.6.gem |
Direct |
yard - 0.9.20 |
❌ |
| CVE-2024-27285 |
 Medium |
5.4 |
yard-0.8.7.6.gem |
Direct |
yard - 0.9.36 |
❌ |
| CVE-2026-41493 |
Medium |
5.3 |
yard-0.8.7.6.gem |
Direct |
yard - 0.9.42 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-1020001
Vulnerable Library - yard-0.8.7.6.gem
YARD is a documentation generation tool for the Ruby programming language.
It enables the user to generate consistent, usable documentation that can be
exported to a number of formats very easily, and also supports extending for
custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.8.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/yard-0.8.7.6.gem
Dependency Hierarchy:
- ❌ yard-0.8.7.6.gem (Vulnerable Library)
Found in HEAD commit: 9461b71edb4933319230643eed039858109d9238
Found in base branch: master
Vulnerability Details
yard before 0.9.20 allows path traversal.
Publish Date: 2019-07-29
URL: CVE-2019-1020001
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xfhh-rx56-rxcr
Release Date: 2019-07-29
Fix Resolution: yard - 0.9.20
Step up your Open Source Security Game with Mend here
CVE-2024-27285
Vulnerable Library - yard-0.8.7.6.gem
YARD is a documentation generation tool for the Ruby programming language.
It enables the user to generate consistent, usable documentation that can be
exported to a number of formats very easily, and also supports extending for
custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.8.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/yard-0.8.7.6.gem
Dependency Hierarchy:
- ❌ yard-0.8.7.6.gem (Vulnerable Library)
Found in HEAD commit: 9461b71edb4933319230643eed039858109d9238
Found in base branch: master
Vulnerability Details
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.
Publish Date: 2024-02-28
URL: CVE-2024-27285
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8mq4-9jjh-9xrc
Release Date: 2024-02-28
Fix Resolution: yard - 0.9.36
Step up your Open Source Security Game with Mend here
CVE-2026-41493
Vulnerable Library - yard-0.8.7.6.gem
YARD is a documentation generation tool for the Ruby programming language.
It enables the user to generate consistent, usable documentation that can be
exported to a number of formats very easily, and also supports extending for
custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.8.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/yard-0.8.7.6.gem
Dependency Hierarchy:
- ❌ yard-0.8.7.6.gem (Vulnerable Library)
Found in HEAD commit: 9461b71edb4933319230643eed039858109d9238
Found in base branch: master
Vulnerability Details
YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42.
Publish Date: 2026-05-08
URL: CVE-2026-41493
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3jfp-46x4-xgfj
Release Date: 2026-05-05
Fix Resolution: yard - 0.9.42
Step up your Open Source Security Game with Mend here
YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.8.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/yard-0.8.7.6.gem
Found in HEAD commit: 9461b71edb4933319230643eed039858109d9238
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - yard-0.8.7.6.gem
YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.8.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/yard-0.8.7.6.gem
Dependency Hierarchy:
Found in HEAD commit: 9461b71edb4933319230643eed039858109d9238
Found in base branch: master
Vulnerability Details
yard before 0.9.20 allows path traversal.
Publish Date: 2019-07-29
URL: CVE-2019-1020001
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xfhh-rx56-rxcr
Release Date: 2019-07-29
Fix Resolution: yard - 0.9.20
Step up your Open Source Security Game with Mend here
Vulnerable Library - yard-0.8.7.6.gem
YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.8.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/yard-0.8.7.6.gem
Dependency Hierarchy:
Found in HEAD commit: 9461b71edb4933319230643eed039858109d9238
Found in base branch: master
Vulnerability Details
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.
Publish Date: 2024-02-28
URL: CVE-2024-27285
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-8mq4-9jjh-9xrc
Release Date: 2024-02-28
Fix Resolution: yard - 0.9.36
Step up your Open Source Security Game with Mend here
Vulnerable Library - yard-0.8.7.6.gem
YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions.
Library home page: https://rubygems.org/gems/yard-0.8.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/yard-0.8.7.6.gem
Dependency Hierarchy:
Found in HEAD commit: 9461b71edb4933319230643eed039858109d9238
Found in base branch: master
Vulnerability Details
YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42.
Publish Date: 2026-05-08
URL: CVE-2026-41493
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3jfp-46x4-xgfj
Release Date: 2026-05-05
Fix Resolution: yard - 0.9.42
Step up your Open Source Security Game with Mend here