CVE-2026-46486: Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing

The fileID field from Manifest.db (a SQLite database inside iOS backups, generated by the device) is used directly in filesystem path construction without validation. This affects two commands through a shared code path:

• mvt-ios decrypt-backup (decrypt.py): file_id is used to construct both read source and write destination paths. Traversal sequences in file_id cause decrypted content to be written to an arbitrary location on the analyst’s filesystem.
• mvt-ios check-backup (via _get_backup_file_from_id() in ios/modules/base.py): the same unvalidated fileID resolves to files outside the backup directory, which are then opened and parsed. Parsed contents flow into JSON results and CSV timeline.