PatchSiren cyber security CVE debrief
CVE-2026-46486 mvt-project CVE debrief
CVE-2026-46486 is a MEDIUM severity vulnerability in MVT (Mobile Verification Toolkit) prior to version 2026.5.12. The vulnerability allows for path traversal via unsanitized File identifiers in iOS Backup processing. This issue has been patched in version 2026.5.12.
- Vendor
- mvt-project
- Product
- mvt
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of MVT (Mobile Verification Toolkit) versions prior to 2026.5.12 should update to the latest version to mitigate this vulnerability.
Technical summary
The vulnerability is caused by unsanitized File identifiers in iOS Backup processing, allowing for path traversal attacks. The CVSS score for this vulnerability is 5.3, indicating a MEDIUM severity.
Defensive priority
MEDIUM
Recommended defensive actions
- Update MVT to version 2026.5.12 or later to patch the vulnerability.
Evidence notes
The vulnerability was patched in version 2026.5.12. References: [ref-4](https://github.com/mvt-project/mvt/releases/tag/v2026.5.12), [ref-5](https://github.com/mvt-project/mvt/security/advisories/GHSA-5h3g-px23-w6vw).
Official resources
CVE-2026-46486 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-46486) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-46486).