CVE-2026-23744

Опубликовано: 16 янв. 2026

Источник: nvd

CVSS3: 9.8

EPSS Средний

Описание

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

Ссылки

https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a
Patch
https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mcpjam:inspector:*:*:*:*:*:*:*:*

Версия до 1.4.3 (исключая)

EPSS

Процентиль: 96%

0.27431

Средний

9.8 Critical

CVSS3

Дефекты

CWE-306

Связанные уязвимости

GHSA-232v-j27c-5pp6