Skip to main content

Gardyn Cloud Api

2 CVEs product

Monthly

CVE-2026-54477 MEDIUM PATCH CISA This Month

Missing HTTP security headers in the Gardyn admin panel expose Gardyn Home Firmware, Gardyn Studio Firmware, and Gardyn Cloud API to clickjacking and cross-site scripting attacks against authenticated administrators. The absence of directives such as X-Frame-Options, Content-Security-Policy frame-ancestors, and script-source restrictions allows an attacker to embed the admin panel in a malicious iframe or inject client-side scripts into the admin session context. Reported by ICS-CERT under advisory ICSA-26-183-03, no public exploit or active exploitation has been confirmed at time of analysis.

XSS Gardyn Home Firmware Gardyn Studio Firmware Gardyn Cloud Api
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-55726 MEDIUM PATCH CISA This Month

Unauthenticated public listing of an Azure Blob Storage container exposes device log files across the entire Gardyn smart garden fleet to any internet-accessible actor. The misconfiguration affects all versions of Gardyn Home Firmware, Gardyn Studio Firmware, and the Gardyn Cloud API, meaning no specific patched version bounds the exposure - it is architectural rather than release-specific. Reported via ICS-CERT advisory ICSA-26-183-03, no confirmed active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis, though exploitation requires zero technical prerequisites beyond internet access and knowledge of the container URL.

Microsoft Information Disclosure Gardyn Home Firmware Gardyn Studio Firmware Gardyn Cloud Api
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Missing HTTP security headers in the Gardyn admin panel expose Gardyn Home Firmware, Gardyn Studio Firmware, and Gardyn Cloud API to clickjacking and cross-site scripting attacks against authenticated administrators. The absence of directives such as X-Frame-Options, Content-Security-Policy frame-ancestors, and script-source restrictions allows an attacker to embed the admin panel in a malicious iframe or inject client-side scripts into the admin session context. Reported by ICS-CERT under advisory ICSA-26-183-03, no public exploit or active exploitation has been confirmed at time of analysis.

XSS Gardyn Home Firmware Gardyn Studio Firmware +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated public listing of an Azure Blob Storage container exposes device log files across the entire Gardyn smart garden fleet to any internet-accessible actor. The misconfiguration affects all versions of Gardyn Home Firmware, Gardyn Studio Firmware, and the Gardyn Cloud API, meaning no specific patched version bounds the exposure - it is architectural rather than release-specific. Reported via ICS-CERT advisory ICSA-26-183-03, no confirmed active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis, though exploitation requires zero technical prerequisites beyond internet access and knowledge of the container URL.

Microsoft Information Disclosure Gardyn Home Firmware +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy