MEDIUM
heartcombo
CVE published 2026-05-22
CVE-2026-40295
## Summary Devise versions ≤5.0.3 contain an open-redirect vulnerability in the Timeoutable module. When a non-GET request triggers a session timeout, `FailureApp#redirect_url` returns the attacker-controllable HTTP Referer header without validation, enabling silent cross-origin redirects to arbitrary external URLs. This bypasses Rails' built-in open-redirect protections because `Devise::FailureApp` is an [truncated]