CVE•Published 2026-01-16•1 article on news•7 live references•NVD data
CVE-2026-23744
Vulnerability data via CVEDB (Shodan)
CVSS v3.1
9.8
CRITICAL
EPSS percentile
98
Exploit Prediction Scoring System · top 2% of all CVEs
Description
MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.
Timeline
Published 2026-01-16
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
Shodan · vuln tag0 hosts
vuln:CVE-2026-23744Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product + version
product:"Mcpjam Inspector" version:"0.1.5"Version-pinned fingerprint from NVD's first vulnerable CPE.
Shodan · banner/body mention
http.html:"Inspector"HTTP body or banner mentions "Inspector" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-23744Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-23744Censys host search filtered to this CVE id.
grep.app
CVE-2026-23744Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-23744GitHub code search for direct mentions.
Google dork
"CVE-2026-23744" exploit -site:nvd.nist.govWrite-ups and news, NVD excluded.
Known PoCs on GitHub (8)
CVE-2026-237448 repos
nomi-sec/PoC-in-GitHubunknown
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
eeeeeeeeee-code/POCunknown
备份的漏洞库,3月开始我们来维护
momenbasel/htb-writeupsHTML
The most comprehensive Hack The Box writeup collection - 500+ machines, 400+ challenges, interactive knowledge graph, skill trees, attack path diagrams, ProLabs, Sherlocks, OSCP/CP…
DarkFunct/TK-CVE-RepoPython
TK-CVE-Repo
mcp-security-project/mcp-cve-projectunknown
The Project shares all information on MCP related CVE's published
zulloper/cve-pocPython
CVE POC repo 자동 수집기
sattyamjjain/agent-airlockPython
A deny-by-default contract & type-checker layer for AI agent tool calls — Pydantic-based, in-process, zero-core-deps. Validates the actual tool-call payload (ghost-arg stripping, s…
suljov/CVE-2026-23744-Remote-Code-Execution-POCPython
MCPJam inspector contains a remote code execution