CVE-2026-23744

high-risk

Published 2026-01-16

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

Do I need to act?

27.4% chance of exploitation in next 30 days

EPSS score — higher than 73% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Inspector

Affected Vendors

Mcpjam

References (2)

Patch https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3...

Exploit https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 15/34 · Moderate

Exposure 5/34 · Minimal