patch-tuesday
Server Details
Query Microsoft Patch Tuesday security updates (MSRC) with EPSS and CISA KEV enrichment
- Status
- Healthy
- Last Tested
- Transport
- Streamable HTTP
- URL
Glama MCP Gateway
Connect through Glama MCP Gateway for full control over tool access and complete visibility into every call.
Full call logging
Every tool call is logged with complete inputs and outputs, so you can debug issues and audit what your agents are doing.
Tool access control
Enable or disable individual tools per connector, so you decide what your agents can and cannot do.
Managed credentials
Glama handles OAuth flows, token storage, and automatic rotation, so credentials never expire on your clients.
Usage analytics
See which tools your agents call, how often, and when, so you can understand usage patterns and catch anomalies.
Tool Definition Quality
Average 4.9/5 across 1 of 1 tools scored.
With only one tool, there is zero ambiguity between tools. The single tool 'msrc_search' is clearly distinct from any hypothetical others.
The single tool name 'msrc_search' is clear and follows a predictable pattern (service_action). No inconsistency issues.
The server has only one tool, which is too few for the broad scope of functionality it attempts to cover. Many operations (search, CVE lookup, KB lookup, list months, trends) are crammed into one tool, making it overly complex.
The tool provides comprehensive coverage of MSRC data operations: search, specific CVE/KB lookups, filtering, statistics, trend analysis, and output formatting. No obvious gaps in its stated domain.
Available Tools
1 toolmsrc_searchSearch Microsoft Security UpdatesARead-onlyIdempotentInspect
Search Microsoft security updates (Patch Tuesday) from the official MSRC API.
Combines keyword search, CVE/KB lookup, and product/severity/exploitation filtering into a single flexible tool. All filter parameters are optional and can be combined. When no filters are provided, returns the most urgent vulnerabilities from the most recent released Patch Tuesday (CISA-KEV- listed or exploited first, then by EPSS exploitation probability, severity, and CVSS score). The upcoming month's document exists before its Patch Tuesday but only holds early Chromium/third-party and out-of-band entries; it is skipped by default and served only when requested via month=. Results are enriched with EPSS scores (FIRST.org daily exploit prediction, 0-1) and CISA KEV (Known Exploited Vulnerabilities) catalog data when available.
Use this tool to:
Get the latest Patch Tuesday overview (include_stats=True, limit=0)
Browse the most urgent fixes this month (no filters)
Look up a specific CVE with full detail (cve="CVE-2026-41108") -- works across all months, returns KBs, affected products, CVSS, description, FAQs, EPSS score, and KEV status
Find which CVEs a KB article fixes (kb="5094123" or kb="KB5094123") -- scans recent months, or a specific month when combined with month=
Look up many KBs in one call (kb=["5094123", "KB5094127", ...], up to
-- e.g. a machine's installed-update list; returns one grouped per-KB result entry each, with per-KB found/not-found status
Check whether a KB has been superseded by newer patches (kb="5087538", include_chain=True) -- walks Microsoft-stated supersedence links
See what Microsoft has confirmed an update breaks (kb=..., include_known_issues=True) -- known issues from the KB's public support page: symptoms, workarounds, and the resolving update when stated
Find KEV-listed CVEs this month (kev=True) -- confirmed exploited, with federal remediation due dates
High exploitation probability (min_epss=0.5) -- EPSS >= 50%
Search by keyword (query="Exchange" or query="DNS spoofing")
Filter to a product (product="Windows Server 2022") -- partial match
Filter to a product watchlist (product_profile="identity-core", or products=["Exchange Server", "Windows Server"] / product_families=["Windows", "Azure"]) -- keeps vulns matching any listed product or family; matching is local and profiles never leave the host
Filter by severity (severity="Critical") -- Critical/Important/Moderate/Low
Find actively exploited vulnerabilities (exploited=True)
Find publicly disclosed zero-days (publicly_disclosed=True)
Filter by CVSS score (min_cvss=8.0)
Look at a past month (month="2026-Apr" or month="2026-04")
Combine filters (product="Exchange" + severity="Critical" + month="2026-05")
Search a historical range (query="HTTP.sys" + months_back=6, or start_month="2026-Jan" + end_month="2026-Jun") -- aggregates matching CVEs across released months with per-month trend counts
Paginate with offset (offset=10, limit=10 for page 2)
Args: query: Optional keyword; case-insensitive match across CVE ID, title, description, component tag, and affected product names. cve: Optional CVE ID (e.g. "CVE-2026-41108"). Fast path: ignores other filters and returns full detail for that single CVE, searching across all months automatically. kb: Optional KB article number (e.g. "5094123" or "KB5094123") or a list of up to 30 of them for a batched lookup. Fast path: returns the CVEs fixed by that KB, scanning the most recent months (up to 6), or only the given month when month= is also set. A list input returns a grouped response instead: a results array with one entry per KB ("kb", "found", and on success the same body as a single-KB lookup; on a miss "error"/"error_kind"), deduplicated, order preserved. limit/offset apply per KB; other filters are ignored. Accepts numeric KB ids only (any malformed list entry fails the whole call); kb_articles in results may also contain non-KB vendor-fix labels such as "Release Notes", which cannot be looked up here. month: Optional monthly release to search, formatted "2026-Apr" or "2026-04". Defaults to the most recent release whose Patch Tuesday (second Tuesday of the month) has already occurred; pass the upcoming month explicitly to see its pre-release entries. Combined with kb=, restricts the KB lookup to that month. product: Optional product name filter (case-insensitive partial match against affected product names, e.g. "Windows Server 2022"). product_profile: Optional named watchlist (e.g. "identity-core") that expands locally into product/family matchers. Built-in profiles can be overridden/extended via a JSON file at MSRC_PROFILES_PATH. An unknown name returns an invalid_input error listing the available profiles. Profile contents are matched locally and never sent to MSRC, FIRST.org, CISA, or telemetry. products: Optional list of product-name partial matchers. A vulnerability is kept if any entry matches one of its affected products. product_families: Optional list of product-family partial matchers. A vulnerability is kept if any entry matches one of its product families. Combined with products/product_profile as a union (match any listed product OR family). severity: Optional maximum-severity filter. Valid values: Critical, Important, Moderate, Low. exploited: Optional filter for vulnerabilities known to be exploited in the wild (True) or not (False), per Microsoft's assessment. publicly_disclosed: Optional filter for publicly disclosed vulnerabilities. kev: Optional filter for CVEs on (True) or off (False) the CISA Known Exploited Vulnerabilities catalog. ransomware: Optional filter for CVEs whose CISA KEV entry reports known ransomware campaign use (True) or not / not on KEV (False). exploitation_likely: Optional filter on Microsoft's latest-release exploitation assessment: True matches "Exploitation More Likely" or "Exploitation Detected"; False matches everything else (including unassessed entries). Matching results include an exploitation_assessment field. cwe: Optional weakness filter; case-insensitive substring match against CWE entries (e.g. "CWE-416" or "use after free"). Matching results include their cwe list. min_epss: Optional minimum EPSS score (0-1), the probability of exploitation in the next 30 days (e.g. 0.5 for >= 50%). min_cvss: Optional minimum CVSS base score (0-10). attack_vector: Optional CVSS attack-vector filter, one of N (network), A (adjacent), L (local), P (physical). Matches the parsed CVSS v3.x vector; entries without a parseable vector are excluded. privileges_required: Optional CVSS privileges-required filter, one of N (none), L (low), H (high). user_interaction: Optional CVSS user-interaction filter, one of N (none), R (required). scope: Optional CVSS scope filter, one of U (unchanged), C (changed). include_chain: When True together with kb=, adds a supersedence_chain showing which KBs this KB replaces (newest to oldest), walked from Microsoft-stated supersedence links. Ignored without kb=. include_guidance: When True together with cve=, adds a guidance list to the CVE detail output with any Microsoft-provided mitigations, workarounds, and will-not-fix advisories (type/description/url). Omitted by default to keep responses lean. Ignored without cve=. include_references: When True, adds deterministic reference links (MSRC, NVD, EPSS, and KEV when listed) to each result row in month/KB/trend lists. CVE detail lookups always include them. include_kb_details: When True, kb_articles entries become full objects (per-KB url, fixed_build, supersedence, sub_type, and restart_required) instead of bare KB numbers; on cve= lookups it additionally adds restart_required to each KB entry. include_kev_details: When True, KEV-listed rows carry the full KEV entry (due_date, ransomware_use, required_action, vendor_project, product, vulnerability_name) instead of a boolean flag; on cve= lookups it extends the kev block with the extra catalog fields. include_known_issues: When True together with kb=, adds a known_issues block per KB with the issues Microsoft has publicly confirmed for that update (title, symptoms, workaround, and the resolving KB when stated), scraped best-effort from the KB's support page on support.microsoft.com. This reports what Microsoft has confirmed breaks -- it does not predict behavior in a specific environment. The block's status field is honest about coverage: "published" (issues listed), "none_published" (Microsoft publishes no known-issues data for this KB -- the norm for most non-Windows products; Windows cumulative/preview updates are the main source), or "unavailable" (the page could not be fetched or parsed; NOT the same as no issues). Attached even when the KB is not found in MSRC security releases (e.g. preview-only updates). Ignored without kb=. include_temporal: When True, cvss blocks gain the CVSS temporal score Microsoft publishes (exploit-code maturity adjusted). Applies to cve= detail and to list rows that carry a cvss block. list_months: When True, ignore other filters and return the catalog of available monthly releases (id, title, initial/current release dates, newest first) — useful for discovering valid month= values and spotting same-month revisions. format: Output format for a monthly/filtered search: "json" (default, most complete), "markdown", or "csv". "markdown" adds a prioritized triage briefing (executive summary + table) under a markdown key; "csv" adds a spreadsheet-ready table under a csv key plus a columns list. The JSON vulnerabilities list is always included. Ignored for cve=/kb= fast-path lookups. report: Optional report profile for format="markdown"/"csv". Currently only "triage" (the default rendering) is supported; reserved for future report shapes. force_refresh: When True, bypass the in-process caches for this request and re-fetch the MSRC document and EPSS/KEV enrichment from source. Use to pick up a same-day MSRC revision or fresh EPSS/KEV data. Only the data needed for this request is refreshed; unrelated cached months are left intact. include_freshness: When True (or when force_refresh is used), add a freshness block to the response reporting the cache age and TTL of the MSRC document and the EPSS/KEV enrichment data. months_back: Optional historical-trend control; search the N most recent released months (N >= 1) instead of a single month, aggregating matches with per-month counts. Mutually exclusive with start_month/end_month. Capped at 12 months per request. start_month: Optional start of a historical-trend range (e.g. "2026-Jan" or "2026-01"), inclusive. When end_month is omitted the range runs through the latest released month. Capped at 12 months. end_month: Optional end of a historical-trend range (inclusive); requires start_month (or months_back). Pre-release months are excluded. limit: Maximum number of results to return (default: 10, max: 100). Set to 0 with include_stats=True for a stats-only month overview. offset: Number of results to skip for pagination (default: 0). include_stats: When True, includes aggregate counts (by severity, impact, product family, exploited, KEV, publicly disclosed) for the filtered result set.
Returns: Dictionary with: - month: Release ID (e.g. "2026-Jun") and title/release date - total_found: Number of vulnerabilities matching the filters - vulnerabilities: List of compact vulnerability summaries (up to limit) with epss_score and kev flag when available; full detail (epss_percentile, KEV due dates) returned for cve= lookups - filters_applied: Summary of which filters were used - stats: (only when include_stats=True) aggregate counts - supersedence_chain / chain_complete: (only for kb= lookups with include_chain=True) the walked chain, newest to oldest - known_issues: (only for kb= lookups with include_known_issues=True) per-KB block with status ("published" / "none_published" / "unavailable"), an issues list (title, symptoms, workaround, resolution, resolved_by) when published, a note otherwise, and the source_url of the Microsoft support page - total_kbs / results: (only when kb= is a list) grouped batch output; results holds one entry per KB with kb, found, and either the single-KB response body or a per-KB error/error_kind, while the top-level total_found sums across all KBs - guidance: (only for cve= lookups with include_guidance=True) list of mitigation/workaround/will-not-fix advisories, when Microsoft provides them - format / markdown / csv / columns: (only when format="markdown" or "csv") the chosen format plus the rendered triage view; csv also carries the stable column-name list - freshness: (only with include_freshness=True or force_refresh=True) cache age/TTL for the MSRC document and EPSS/KEV enrichment - range / months_searched / trend: (only for historical-trend searches via months_back or start_month/end_month) the resolved month range, the number of months searched, and per-month aggregate counts (total, by_severity, exploited, publicly_disclosed, kev) - available_months: (only with list_months=True) the release catalog, newest first - error / error_kind: (only on failure) a message plus a category (invalid_input, not_found, upstream, internal) - note: (when relevant) explains month selection, e.g. that a newer pre-Patch-Tuesday document was skipped, or (with release_status="pre-patch-tuesday") that the requested month has not had its Patch Tuesday yet
| Name | Required | Description | Default |
|---|---|---|---|
| kb | No | ||
| cve | No | ||
| cwe | No | ||
| kev | No | ||
| limit | No | ||
| month | No | ||
| query | No | ||
| scope | No | ||
| format | No | json | |
| offset | No | ||
| report | No | ||
| product | No | ||
| min_cvss | No | ||
| min_epss | No | ||
| products | No | ||
| severity | No | ||
| end_month | No | ||
| exploited | No | ||
| ransomware | No | ||
| list_months | No | ||
| months_back | No | ||
| start_month | No | ||
| attack_vector | No | ||
| force_refresh | No | ||
| include_chain | No | ||
| include_stats | No | ||
| product_profile | No | ||
| include_guidance | No | ||
| include_temporal | No | ||
| product_families | No | ||
| user_interaction | No | ||
| include_freshness | No | ||
| include_kb_details | No | ||
| include_references | No | ||
| publicly_disclosed | No | ||
| exploitation_likely | No | ||
| include_kev_details | No | ||
| privileges_required | No | ||
| include_known_issues | No |
Output Schema
| Name | Required | Description |
|---|---|---|
No output parameters | ||
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
Annotations declare readOnlyHint, openWorldHint, and idempotentHint, indicating safe, read-only, idempotent behavior. The description adds substantial context: default sorting by urgency, enrichment with EPSS and KEV, cache behavior with force_refresh, pagination details, error handling, and specific behaviors for parameter combinations. No contradictions with annotations.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is very long but well-structured: a brief summary, then a detailed default behavior explanation, followed by a bulleted list of use cases, then an exhaustive Args section. It front-loads key information. While verbose, the length is justified by the tool's complexity (39 parameters) and ensures clarity.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the tool's complexity (39 parameters, no required ones, output schema present), the description is exceptionally complete. It covers input behavior exhaustively, explains output structure in the 'Returns' section, notes error handling (error_kind), and addresses edge cases like pre-release months and cache behavior. The output schema existence reduces burden, but the description still adds value by detailing format options and response keys.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema description coverage is 0%, so the description must compensate. It does so thoroughly: every parameter is explained with valid values, interactions (e.g., 'Ignored without cve='), defaults, and constraints (e.g., kb list limit of 30). For instance, it details that cve is a fast path that ignores other filters, and that month accepts formats like '2026-Apr'. This adds significant meaning beyond the bare schema.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description explicitly states the tool's purpose: searching Microsoft security updates (Patch Tuesday) from the MSRC API. It clearly identifies the resource ('Microsoft security updates') and the verb ('search'), and distinguishes from potential siblings by detailing combined keyword, CVE, KB, and filtering capabilities.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description provides a comprehensive 'Use this tool to:' section listing over a dozen specific use cases (e.g., 'Get the latest Patch Tuesday overview', 'Look up a specific CVE', 'Find KEV-listed CVEs'). It explains when filters are optional and the default behavior when no filters are provided, effectively guiding the agent on appropriate contexts.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
Claim this connector by publishing a /.well-known/glama.json file on your server's domain with the following structure:
{
"$schema": "https://glama.ai/mcp/schemas/connector.json",
"maintainers": [{ "email": "your-email@example.com" }]
}The email address must match the email associated with your Glama account. Once published, Glama will automatically detect and verify the file within a few minutes.
Control your server's listing on Glama, including description and metadata
Access analytics and receive server usage reports
Get monitoring and health status updates for your server
Feature your server to boost visibility and reach more users
For users:
Full audit trail – every tool call is logged with inputs and outputs for compliance and debugging
Granular tool control – enable or disable individual tools per connector to limit what your AI agents can do
Centralized credential management – store and rotate API keys and OAuth tokens in one place
Change alerts – get notified when a connector changes its schema, adds or removes tools, or updates tool definitions, so nothing breaks silently
For server owners:
Proven adoption – public usage metrics on your listing show real-world traction and build trust with prospective users
Tool-level analytics – see which tools are being used most, helping you prioritize development and documentation
Direct user feedback – users can report issues and suggest improvements through the listing, giving you a channel you would not have otherwise
The connector status is unhealthy when Glama is unable to successfully connect to the server. This can happen for several reasons:
The server is experiencing an outage
The URL of the server is wrong
Credentials required to access the server are missing or invalid
If you are the owner of this MCP connector and would like to make modifications to the listing, including providing test credentials for accessing the server, please contact support@glama.ai.
Discussions
No comments yet. Be the first to start the discussion!