These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-32662 concerns Gardyn Home Kit components where development and test API endpoints mirror production functionality. CISA published the advisory on 2026-02-24 and later updated it on 2026-04-02 to add this CVE and refresh affected product and mitigation details. The advisory rates the issue CVSS 3.1 5.3 (Medium) with a low confidentiality impact and no integrity or availability impact.
CVE-2026-32646 is a HIGH-severity authentication bypass issue in Gardyn’s ecosystem. CISA’s advisory says a specific administrative endpoint is accessible without proper authentication, which exposes device management functions. The advisory was first published on 2026-02-24 and updated on 2026-04-02 with added vulnerabilities and revised mitigations.
CVE-2026-28767 affects Gardyn Home Kit-related products and describes an administrative notifications endpoint that is accessible without proper authentication. CISA published the advisory on 2026-02-24 and later added this CVE in Update A on 2026-04-02. The supplied CVSS vector indicates a network-reachable issue with no privileges or user interaction required and low confidentiality impact.
CVE-2026-28766 is a critical authentication failure in Gardyn Home Kit-related products where a specific endpoint exposes registered user account information without requiring authentication. CISA rates the issue CVSS 3.1 9.3 (network-reachable, no privileges, no user interaction), with the main impact on confidentiality.
CVE-2026-25197 is a high-severity access-control weakness in Gardyn’s ecosystem where the advisory says a specific endpoint can let users pivot to other user profiles by modifying the id number in an API call. CISA assigned a CVSS 3.1 score of 9.1 (Critical) and published the advisory on 2026-02-24, with Update A on 2026-04-02 adding this CVE and related mitigations. The safest takeaway is that this is an [truncated]
CVE-2025-29631 is a critical command-injection issue in Gardyn Home Kit-related software and firmware. According to the CISA CSAF advisory, vulnerable methods pass unsanitized input to the operating system, which can allow arbitrary command execution on a target Home Kit. The advisory was first published on 2026-02-24 and updated on 2026-04-02.
CVE-2025-29629 is a high-severity Gardyn issue where weak default credentials for SSH could let attackers gain access to exposed Gardyn Home Kits. The CISA CSAF advisory was first published on 2026-02-24 and later updated on 2026-04-02. The source remediation guidance emphasizes upgrading device firmware and the Gardyn mobile app rather than attempting any workaround on the exposed credentials themselves.
CVE-2025-29628 describes an insecure transport issue in Gardyn’s update flow: an Azure IoT Hub connection string is downloaded over HTTP rather than a protected channel. According to the CISA advisory, that leaves the string vulnerable to interception and modification in a man-in-the-middle attack, which could expose device credentials or enable control of affected home kits.
CVE-2025-1242 is a critical Gardyn issue in which administrative credentials may be extracted from application API responses, through mobile app reverse engineering, and through device firmware reverse engineering. CISA says this could let an attacker obtain full administrative access to the Gardyn IoT Hub and maliciously control connected devices. The advisory was initially published on 2026-02-24 and up [truncated]
CVE-2025-10681 is a high-severity Gardyn issue where storage credentials are hardcoded in the mobile app and device firmware. CISA’s advisory says the credentials do not adequately limit end-user permissions and do not expire in a reasonable time, which may allow unauthorized access to production storage containers.