Home Assistant Companion apps for Android and iOS contain a vulnerability that exposes JavaScript bridges to all frames, including cross-origin iframes. The flaw allows arbitrary JavaScript execution in the main-frame origin and potential exfiltration of user access tokens. The vulnerability affects versions prior to 2026.4.1 for iOS and 2026.4.4 for Android. Attackers can exploit unsanitized interpolation of JavaScript callback identifiers through cross-origin iframes rendered within the Companion app. This represents a significant security risk for home automation systems using Home Assistant.