diff --git a/gems/devise/CVE-2026-32700.yml b/gems/devise/CVE-2026-32700.yml
index 025b987a7d..299e3d37f5 100644
--- a/gems/devise/CVE-2026-32700.yml
+++ b/gems/devise/CVE-2026-32700.yml
@@ -46,6 +46,7 @@ description: |
   force the attribute to be persisted, even if it did not really
   change, so you might have to implement a workaround similar to
   Devise by setting changed_attributes["unconfirmed_email"] = nil as well.
+cvss_v3: 5.3
 patched_versions:
   - ">= 5.0.3"
 related: