Integrates with the FIRST EPSS API to retrieve Exploit Prediction Scoring System metrics, enabling probability-based risk scoring for vulnerabilities.
Utilizes the official CISA GitHub mirror as a fallback source for Known Exploited Vulnerabilities (KEV) data enrichment.
Provides capabilities to export ranked vulnerability lists and patch recommendations in formatted Markdown summaries.
Allows for centralized configuration of runtime settings, scoring weights, and batch limits through TOML configuration files.
Features built-in support for auto-detecting and parsing Trivy JSON scanner outputs to prioritize and rank identified vulnerabilities.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@CVE Risk MCP ServerRank these CVEs by patching priority: CVE-2023-38831 and CVE-2024-21412"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
CVE Risk MCP Server
MCP server for CVE lookups, KEV enrichment, and “what should I patch first?” ranking. It
implements the MCP tools/list + tools/call flow over stdio and returns structured risk
assessments per CVE.
Features
CVE detail lookups with parsed CVSS v3/v4 metrics.
CISA KEV feed enrichment (primary + mirror fallback).
EPSS-style risk scoring with reasons and a priority label.
Batch ranking for patch queues.
Tools
cve_lookupInputs:
cve_id,include_kev,include_epssOutput: CVE summary + KEV status + risk score
cve_rankInputs:
cve_ids,include_kev,include_epss,fail_fastOutput: ranked list (highest risk first)
cve_patch_firstInputs:
cve_ids,top_n,include_kev,include_epss,fail_fastOutput: ranked list + top-N recommendations
cve_statusInputs: none
Output: upstream status + cache stats (timestamps + last error summary)
cve_configInputs: none
Output: effective runtime config (URLs, cache, scoring, batch limits)
cve_refreshInputs:
cve_ids,include_epss,refresh_kevOutput: cache warm/refresh summary
cve_exportInputs:
cve_ids,include_kev,include_epss,include_markdown,fail_fastOutput: ranked list + optional markdown summary
Quickstart
Reliability knobs
--retriesand--retry-backoff-secondscontrol bounded retries for transient HTTP failures (429/5xx + network errors).Retry-Aftersupports both delta-seconds and HTTP-date response headers.--print-effective-configprints resolved settings and their source (CLI/config/env/built-ins) to debug precedence.--cve-timeout,--kev-timeout, and--epss-timeoutoverride the shared--timeoutfor per-source control.--config(TOML) centralizes defaults. Precedence: CLI flags > config > env > built-ins.MCP and JSON CLI responses now include structured error data for upstream failures.
Batch flows (
cve_rank,cve_patch_first,cve_export) are fail-soft and return per-itemerrorswithout dropping successful results.KEV/EPSS enrichment is best-effort: enrichment failures are recorded in
errors, but results are still returned with missing enrichment fields.Optional strict batch mode is available via
fail_fast(MCP tool arg) or--fail-fast(JSON CLI).--max-batch-sizelimits how many unique CVEs a batch request can process (0 disables).--max-parallelcontrols controlled parallelism for batch CVE lookups (default: 1).--cache-direnables a persistent on-disk cache for CVE/KEV/EPSS responses (env:CVE_RISK_CACHE_DIR).--offlinedisables all network fetches and uses cache-only mode (requires--cache-dir).Lookup/rank/patch/export/refresh responses include a
cacheblock when stale cache entries are served in offline mode (cache.served_stale=truewith per-source details).CVE IDs are validated and batch inputs are de-duplicated before upstream calls.
CVE parsing tolerates legacy schema variants (alternate CVSS and reference fields).
Structured errors include remediation hints (e.g., respect
Retry-Afteron 429s).--epss-weight(or envCVE_RISK_EPSS_WEIGHT) calibrates how strongly EPSS influences the risk score (default: 1.0).--kev-floor(envCVE_RISK_KEV_FLOOR) and--kev-boost(envCVE_RISK_KEV_BOOST) calibrate the KEV scoring behavior.--age-recent-days/--age-recent-boost(envCVE_RISK_AGE_RECENT_DAYS/CVE_RISK_AGE_RECENT_BOOST) calibrate the "new CVE" boost.--age-old-days/--age-old-penalty(envCVE_RISK_AGE_OLD_DAYS/CVE_RISK_AGE_OLD_PENALTY) calibrate the "old CVE" penalty.cve_statusincludes cache metadata plus request/latency counters, stale-cache counters, and rolling-window latency percentiles (request_count,success_count,error_count,stale_served_count,avg_latency_ms,last_latency_ms,p50_latency_ms,p95_latency_ms,latency_sample_count,latency_window_size) per source.stdio MCP mode emits structured JSON logs to stderr (configurable via
--mcp-log-level).
Operations
See docs/OPERATIONS.md for a small operator runbook (interpreting cve_status, common remediation).
Run (stdio MCP server)
Run (JSON CLI mode)
Config file (optional)
Use --config to set defaults in a TOML file. See cve-risk-mcp.example.toml for a starting point.
Output to file
NDJSON output
When batch errors exist, NDJSON output appends structured {"error": ...} records after ranked items.
Load CVEs from file
Load CVEs from stdin (batch commands)
When no positional CVEs and no --cve-file are provided, rank, patch-first, and export will read from stdin.
--cve-file also supports extracting CVE IDs from common scanner JSON outputs (auto-detected): Grype JSON, Trivy JSON, and OSV-Scanner JSON.
Example (tools/call)
Data sources
CVE data: CIRCL Vulnerability Lookup API.
KEV data: CISA Known Exploited Vulnerabilities feed (primary URL) with fallback to the official CISA GitHub mirror.
EPSS data (optional): FIRST EPSS API.
Notes
No authentication: intended for local or controlled environments.
All outbound network calls are GETs to the configured APIs.