Mvt
by Mvt Project
Source repositories
CVEs (1)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46486 | 0.00 | — | — | May 21, 2026 | ### Summary The `fileID` field from `Manifest.db` (a SQLite database inside iOS backups, generated by the device) is used directly in filesystem path construction without validation. This affects two commands through a shared code path: - **`mvt-ios decrypt-backup`** (`decrypt.py`): `file_id` is used to construct both read source and write destination paths. Traversal sequences in `file_id` cause decrypted content to be written to an arbitrary location on the analyst's filesystem. - **`mvt-ios check-backup`** (via `_get_backup_file_from_id()` in `ios/modules/base.py`): the same unvalidated `fileID` resolves to files outside the backup directory, which are then opened and parsed. Parsed contents flow into JSON results and CSV timeline. ### Impact **File write (decrypt-backup):** An adversary delivering a crafted iOS backup can cause attacker controlled content to be written to arbitrary paths writable by the analyst process. This could be leveraged for code execution via shell profile modification or SSH key injection. Severity is assessed as Moderate because exploitation requires a specifically crafted malicious bundle to be parsed by the analyst. There are trust mitigations between stakeholders involved in the handoff of the sample that reduce the likelihood of this scenario. **File read (check-backup):** An adversary can force MVT to open and parse files outside the backup directory. Practical exploitation is reduced as it requires the attacker to know or guess the analyst’s directory layout for cross-case targeting, and the traversed file from the host must be a valid SQLite database or plist whose schema matches what the specific MVT module expects. ### Patched version [2026.5.12](https://github.com/mvt-project/mvt/releases/tag/v2026.5.12) ### Credits This issue was identified during a security assessment conducted by 0xche. |
- CVE-2026-46486May 21, 2026risk 0.00cvss —epss —
### Summary The `fileID` field from `Manifest.db` (a SQLite database inside iOS backups, generated by the device) is used directly in filesystem path construction without validation. This affects two commands through a shared code path: - **`mvt-ios decrypt-backup`** (`decrypt.py`): `file_id` is used to construct both read source and write destination paths. Traversal sequences in `file_id` cause decrypted content to be written to an arbitrary location on the analyst's filesystem. - **`mvt-ios check-backup`** (via `_get_backup_file_from_id()` in `ios/modules/base.py`): the same unvalidated `fileID` resolves to files outside the backup directory, which are then opened and parsed. Parsed contents flow into JSON results and CSV timeline. ### Impact **File write (decrypt-backup):** An adversary delivering a crafted iOS backup can cause attacker controlled content to be written to arbitrary paths writable by the analyst process. This could be leveraged for code execution via shell profile modification or SSH key injection. Severity is assessed as Moderate because exploitation requires a specifically crafted malicious bundle to be parsed by the analyst. There are trust mitigations between stakeholders involved in the handoff of the sample that reduce the likelihood of this scenario. **File read (check-backup):** An adversary can force MVT to open and parse files outside the backup directory. Practical exploitation is reduced as it requires the attacker to know or guess the analyst’s directory layout for cross-case targeting, and the traversed file from the host must be a valid SQLite database or plist whose schema matches what the specific MVT module expects. ### Patched version [2026.5.12](https://github.com/mvt-project/mvt/releases/tag/v2026.5.12) ### Credits This issue was identified during a security assessment conducted by 0xche.