CVE-2026-49342: YARD static cache reads raw traversal paths before router sanitization

June 26, 2026

YARD’s static cache lookup reads a request path before the router’s path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static tree.

The potential security risk seems low, as only html-ending files can be read, but still the risk of reading arbitrary html files is a confiendtiality issue in itself, which is why we decided to report. Please let us know if this is out of your project’s scope.

References

github.com/advisories/GHSA-pxcc-8665-phx8
github.com/lsegal/yard/commit/f78c19f0dd33a407085b4ed181bb60c0aa0078b4
github.com/lsegal/yard/security/advisories/GHSA-pxcc-8665-phx8
nvd.nist.gov/vuln/detail/CVE-2026-49342

Code Behaviors & Features

Detect and mitigate CVE-2026-49342 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →