VDB

CVE-2026-23744

CVE-2026-23744 PUBLISHED CVSS 9.800000190734863 CRITICAL

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

EPSS 30.37% · 96.8th percentile

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
30.37%
96.8th percentile

Affected Products

VendorProductVersions
mcpjaminspector0, 0
mcpjaminspector0, 0
MCPJaminspector<= 1.4.2, <= 1.4.2

Timeline

  • Mar 9, 2023 CrowdSec Sighting
  • May 30, 2024 CrowdSec Sighting
  • May 31, 2024 CrowdSec Sighting
  • Jul 31, 2024 CrowdSec Sighting
  • Jun 19, 2025 CrowdSec Sighting
  • Jan 11, 2026 CrowdSec Sighting
  • Jan 16, 2026 CVE Published
  • Jan 16, 2026 PoC Published
  • Jan 16, 2026 PoC Published
  • Jan 17, 2026 EPSS Score
  • Jan 20, 2026 EPSS Score
  • Jan 22, 2026 PoC Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›