CVE-2026-23744

CRITICAL EXPLOITED NUCLEI

MCPJam inspector <1.4.2 - RCE

Title source: llm

Description

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

Exploits (2)

nomisec WORKING POC 1 stars

by boroeurnprach · remote

https://github.com/boroeurnprach/CVE-2026-23744-PoC

View Code ZIP pw:eip

nomisec WORKING POC

by rootdirective-sec · remote

https://github.com/rootdirective-sec/CVE-2026-23744-Lab

View Code ZIP pw:eip

Nuclei Templates (1)

MCPJam Inspector - Remote Code Execution

CRITICALVERIFIEDby Louay-075

References (2)

[Patch] https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a

[Vendor Advisory] https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6

Scores

CVSS v3 9.8

EPSS 0.1721

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2026-02-18

Classification

CWE

CWE-306

Status draft

Affected Products (1)

mcpjam/inspector < 1.4.3npm

Timeline

Published Jan 16, 2026

Tracked Since Feb 18, 2026