Merge pull request #1038 from jasnow/ghsa-syncbot-2026-04-18-08_15_54

GHSA/SYNC: 1 brand new advisory

Author: flavorjones

gems/yard/GHSA-3jfp-46x4-xgfj.yml

@@ -0,0 +1,37 @@
+---
+gem: yard
+ghsa: 3jfp-46x4-xgfj
+url: https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
+title: yard - Possible arbitrary path traversal and file access via yard server
+date: 2026-04-17
+description: |
+  ### Impact
+
+  A path traversal vulnerability was discovered in YARD <= 0.9.41 when
+  using yard server to serve documentation. This bug would allow
+  unsanitized HTTP requests to access arbitrary files on the machine
+  of a yard server host under certain conditions.
+
+  The original patch in [GHSA-xfhh-rx56-rxcr](https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr)
+  was incorrectly applied.
+
+  ### Patches
+
+  Please upgrade to YARD v0.9.42 immediately if you are relying on yard
+  server to host documentation in any untrusted environments without
+  WEBrick and rely on `--docroot`.
+
+  ### Workarounds
+
+  For users who cannot upgrade, it is possible to perform path sanitization
+  of HTTP requests at your webserver level. WEBrick, for example, can
+  perform such sanitization by default (which you can use via yard
+  server -s webrick), as can certain rules in your webserver configuration.
+patched_versions:
+  - ">= 0.9.42"
+related:
+  url:
+    - https://my.diffend.io/gems/yard/0.9.41/0.9.42
+    - https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
+    - https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
+    - https://github.com/advisories/GHSA-3jfp-46x4-xgfj