Is devise affected by CVE-2026-40295?

RubyGems devise is affected in <5.0.4.

Is CVE-2026-40295 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

medium

CVE-2026-40295

Q: Is CVE-2026-40295 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

RubyGems · devise

Summary

Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler

Severity: medium
EPSS: 0.3% (p23)
Also known as: GHSA-jp94-3292-c3xv
Published: 2026-05-08

References

https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv
https://nvd.nist.gov/vuln/detail/CVE-2026-40295
https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360

Related advisories

CVE-2015-8314 — high · RubyGems/devise
CVE-2026-32700 — medium · RubyGems/devise
CVE-2019-16109 — medium · RubyGems/devise
CVE-2019-5421 — medium · RubyGems/devise

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.