PatchSiren

home-assistant CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH home-assistant CVE published 2026-05-29

CVE-2026-44698

## Summary Home Assistant Companion apps for Android (prior to 2026.4.4) and iOS (prior to 2026.4.1) contain a cross-origin JavaScript bridge exposure vulnerability. The apps expose native bridge objects (`window.externalApp` on Android; `webkit.messageHandlers.getExternalAuth`, `revokeExternalAuth`, and `externalBus` on iOS) to all frames within the in-app WebView, including cross-origin iframes. Combine [truncated]