devise (RubyGems) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the RubyGems package devise, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (6)
CVE-2019-5421 — CVSS 9.8 (critical): Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable`…
CVE-2015-8314 — CVSS 7.5 (high): The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized…
CVE-2013-0233 — CVSS 6.8 (medium): Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does…
CVE-2026-40295 — CVSS 6.1 (medium): Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in…
CVE-2019-16109 — CVSS 5.3 (medium): An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank…
CVE-2026-32700 — CVSS 5.3 (medium): Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module…