MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution

The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. id...

MCPJam Inspector - Remote Code Execution

MCPJam inspector is the local-first development platform for MCP servers. The Latest version 1.4.2 and earlier are vulnerable to a remote code execution RCE vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. id:...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

CVE-2026-23744 — MCPJam Unauthenticated Remote Code Execution...

📄 MCPJam Inspector 1.4.2 Command Injection

This is an advanced Python proof of concept for CVE-2026-23744 demonstrating command injection through a vulnerable MCP API endpoint, leading to remote code execution and reverse shell access. The script supports multiple payload types, endpoint discovery, listener management, and several...

MCPJam Inspector 1.4.2 Defensive API Security Assessment Tool

This Python-based defensive auditing tool evaluates the exposure and security posture of MCP-related API endpoints in a controlled and authorized environment. It is designed to assist security teams in identifying insecure API configurations, exposed execution interfaces, and potential operationa...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

CVE-2026-23744 - MCPJam Inspector RCE PoC Proof of Concept ex...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

CVE-2026-23744 --- Description MCPJam inspector is a loca...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

No d...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

on kali linux - terminal 1...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

usage: exploit.py -h --lhost LHOST --lport LPOR...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

CVE-2026-23744 — MCPJam Inspector Unauthenticated RCE !Pytho...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

HackTheBox — DevHub CVE-2026-23744 | MCPJam Inspector Unaut...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

CVE-2026-23744 !Image althttps...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

No d...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

No d...

Incomplete List of Disallowed Inputs

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the builtin allowlist handling in lib/builtin.js. An attacker can reach host code by requiring process and...

NodeVM builtin denylist bypass via process and inspector/promises allows host code execution

Summary NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass...

GHSA-RP36-8XQ3-R6C4 NodeVM builtin denylist bypass via process and inspector/promises allows host code execution

Summary NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass...

EUVD-2026-33367

Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolv...

CVE-2026-45577

Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolv...