Exploit Intel Platform MCP Server

Overview Schema Related Servers Score Discussions

search_vulnerabilities

Read-onlyIdempotent

Search for CVEs by keyword and filter by severity, exploit availability, CISA KEV status, ransomware, and more to find relevant vulnerabilities with scores and exploitation signals.

Instructions

Search the Exploit Intelligence Platform for vulnerabilities (CVEs). Returns a list of matching CVEs with CVSS scores, EPSS exploitation probability, exploit counts, CISA KEV status, VulnCheck KEV, InTheWild.io exploitation signals, and ransomware attribution. Supports full-text search, severity/vendor/product/ecosystem/CWE filters, CVSS/EPSS thresholds, plus any_exploited and ransomware filters. When sort is omitted, the API may automatically prefer newest exploitation, exploit, or nuclei-template activity based on the filters you set. Examples: query='apache httpd' with has_exploits=true; vendor='fortinet' with severity='critical' and is_kev=true sorted by epss_desc; any_exploited=true with ransomware=true for ransomware-linked CVEs; cwe='89' with min_cvss=9 for critical SQL injection CVEs.

Input Schema

TableJSON Schema

Name	Required	Description
`query`	No	Search keywords (e.g. 'apache httpd', 'log4j'). Optional if filters are provided.
`severity`	No	Filter by severity level
`has_exploits`	No	Only return CVEs with public exploit code
`is_kev`	No	Only return CISA Known Exploited Vulnerabilities
`any_exploited`	No	Only return CVEs exploited in the wild (CISA KEV + VulnCheck KEV + InTheWild.io)
`ransomware`	No	Only return CVEs with confirmed ransomware campaign use
`has_nuclei`	No	Only return CVEs with Nuclei scanner templates
`vendor`	No	Filter by vendor name (e.g. 'microsoft', 'fortinet')
`product`	No	Filter by product name (e.g. 'exchange', 'pan-os')
`ecosystem`	No	Filter by package ecosystem
`cwe`	No	Filter by CWE ID (e.g. '79' or 'CWE-79')
`min_cvss`	No	Minimum CVSS v3 score (0-10)
`min_score`	No	Minimum score for the selected score_version (0-10)
`score_version`	No	Score family for min_score / score_desc
`min_epss`	No	Minimum EPSS score (0-1)
`year`	No	Filter by CVE year (e.g. 2024)
`date_from`	No	Start date for CVE publication (YYYY-MM-DD)
`date_to`	No	End date for CVE publication (YYYY-MM-DD)
`sort`	No	Sort order. Aliases are normalized to the current server schema.
`page`	No	Page number (default: 1)
`per_page`	No	Results per page (1-25, default: 10)

Implementation Reference

eip_mcp/server.py:218-351 (registration)

Tool registration for search_vulnerabilities: defines the Tool object with name, description, inputSchema (all parameters), and read-only annotations.

TOOLS = [
    types.Tool(
        name="search_vulnerabilities",
        annotations=_ro_annotations("Search Vulnerabilities"),
        description=(
            "Search the Exploit Intelligence Platform for vulnerabilities (CVEs). "
            "Returns a list of matching CVEs with CVSS scores, EPSS exploitation "
            "probability, exploit counts, CISA KEV status, VulnCheck KEV, "
            "InTheWild.io exploitation signals, and ransomware attribution. "
            "Supports full-text search, severity/vendor/product/ecosystem/CWE filters, "
            "CVSS/EPSS thresholds, plus any_exploited and ransomware filters. "
            "When sort is omitted, the API may automatically prefer newest "
            "exploitation, exploit, or nuclei-template activity based on the filters "
            "you set. "
            "Examples: query='apache httpd' with has_exploits=true; "
            "vendor='fortinet' with severity='critical' and is_kev=true sorted by epss_desc; "
            "any_exploited=true with ransomware=true for ransomware-linked CVEs; "
            "cwe='89' with min_cvss=9 for critical SQL injection CVEs."
        ),
        inputSchema={
            "type": "object",
            "properties": {
                "query": {
                    "type": "string",
                    "maxLength": 200,
                    "description": "Search keywords (e.g. 'apache httpd', 'log4j'). Optional if filters are provided.",
                },
                "severity": {
                    "type": "string",
                    "enum": ["critical", "high", "medium", "low"],
                    "description": "Filter by severity level",
                },
                "has_exploits": {
                    "type": "boolean",
                    "description": "Only return CVEs with public exploit code",
                },
                "is_kev": {
                    "type": "boolean",
                    "description": "Only return CISA Known Exploited Vulnerabilities",
                },
                "any_exploited": {
                    "type": "boolean",
                    "description": "Only return CVEs exploited in the wild (CISA KEV + VulnCheck KEV + InTheWild.io)",
                },
                "ransomware": {
                    "type": "boolean",
                    "description": "Only return CVEs with confirmed ransomware campaign use",
                },
                "has_nuclei": {
                    "type": "boolean",
                    "description": "Only return CVEs with Nuclei scanner templates",
                },
                "vendor": {
                    "type": "string",
                    "maxLength": 100,
                    "description": "Filter by vendor name (e.g. 'microsoft', 'fortinet')",
                },
                "product": {
                    "type": "string",
                    "maxLength": 100,
                    "description": "Filter by product name (e.g. 'exchange', 'pan-os')",
                },
                "ecosystem": {
                    "type": "string",
                    "enum": ["npm", "pip", "maven", "go", "crates", "nuget", "rubygems", "composer"],
                    "description": "Filter by package ecosystem",
                },
                "cwe": {
                    "type": "string",
                    "pattern": _CWE_PATTERN,
                    "maxLength": 12,
                    "description": "Filter by CWE ID (e.g. '79' or 'CWE-79')",
                },
                "min_cvss": {
                    "type": "number",
                    "minimum": 0,
                    "maximum": 10,
                    "description": "Minimum CVSS v3 score (0-10)",
                },
                "min_score": {
                    "type": "number",
                    "minimum": 0,
                    "maximum": 10,
                    "description": "Minimum score for the selected score_version (0-10)",
                },
                "score_version": {
                    "type": "string",
                    "enum": ["v3", "v4", "effective"],
                    "description": "Score family for min_score / score_desc",
                },
                "min_epss": {
                    "type": "number",
                    "minimum": 0,
                    "maximum": 1,
                    "description": "Minimum EPSS score (0-1)",
                },
                "year": {
                    "type": "integer",
                    "minimum": 1999,
                    "maximum": 2030,
                    "description": "Filter by CVE year (e.g. 2024)",
                },
                "date_from": {
                    "type": "string",
                    "pattern": _DATE_PATTERN,
                    "description": "Start date for CVE publication (YYYY-MM-DD)",
                },
                "date_to": {
                    "type": "string",
                    "pattern": _DATE_PATTERN,
                    "description": "End date for CVE publication (YYYY-MM-DD)",
                },
                "sort": {
                    "type": "string",
                    "enum": [
                        "newest",
                        "published_newest",
                        "oldest",
                        "published_oldest",
                        "cvss_desc",
                        "score_desc",
                        "epss_desc",
                        "relevance",
                        "signal_newest",
                        "exploit_newest",
                        "nuclei_newest",
                    ],
                    "description": "Sort order. Aliases are normalized to the current server schema.",
                },
                "page": _PAGE_SCHEMA,
                "per_page": _per_page_schema(maximum=25, default=10),
            },
        },
    ),

eip_mcp/server.py:1518-1519 (registration)
Dispatch table mapping 'search_vulnerabilities' string to _tool_search handler function.
```
_TOOLS_WITH_ARGS: dict[str, Callable[[dict[str, Any]], str]] = {
    "search_vulnerabilities": _tool_search,
```

eip_mcp/server.py:1245-1256 (handler)

Handler function _tool_search(): validates params via declarative field spec, calls api_client.search_vulns(), formats results via formatters.format_search_results().

def _tool_search(args: dict[str, Any]) -> str:
    params: dict[str, Any] = {}
    _apply_field_spec(args, params, _VULN_SEARCH_FIELDS)
    for bool_key in _VULN_SEARCH_BOOL_FIELDS:
        _copy_bool_arg(args, params, bool_key)
    params.setdefault("per_page", 10)

    if not params or all(k in ("per_page", "page") for k in params):
        raise ValidationError("Provide a search query or at least one filter.")

    data = api_client.search_vulns(params)
    return formatters.format_search_results(data)

eip_mcp/server.py:1194-1224 (schema)

Field specs _VULN_SEARCH_FIELDS and _VULN_SEARCH_BOOL_FIELDS mapping arg keys to API params with validators.

# Declarative field spec for _tool_search.  Each entry is
# (arg_key, params_key, validator, present_check).
# present_check = "truthy"  → only copy if args.get(key) is truthy
# present_check = "not_none" → copy if key is present and value is not None
#                              (lets through 0/0.0/False)
_VULN_SEARCH_FIELDS: tuple[tuple[str, str, Callable[[Any], Any], str], ...] = (
    ("query", "q", validators.validate_query, "truthy"),
    ("severity", "severity", validators.validate_severity, "truthy"),
    ("vendor", "vendor", validators.validate_vendor, "truthy"),
    ("product", "product", validators.validate_product, "truthy"),
    ("ecosystem", "ecosystem", validators.validate_ecosystem, "truthy"),
    ("cwe", "cwe", validators.validate_cwe, "truthy"),
    ("score_version", "score_version", validators.validate_score_version, "truthy"),
    ("date_from", "date_from", validators.validate_date, "truthy"),
    ("date_to", "date_to", validators.validate_date, "truthy"),
    ("sort", "sort", validators.validate_sort, "truthy"),
    ("min_cvss", "min_cvss", validators.validate_cvss, "not_none"),
    ("min_score", "min_score", validators.validate_cvss, "not_none"),
    ("min_epss", "min_epss", validators.validate_epss, "not_none"),
    ("year", "year", validators.validate_year, "not_none"),
    ("page", "page", validators.validate_page, "not_none"),
    ("per_page", "per_page", validators.validate_per_page, "not_none"),
)

_VULN_SEARCH_BOOL_FIELDS: tuple[str, ...] = (
    "has_exploits",
    "is_kev",
    "any_exploited",
    "ransomware",
    "has_nuclei",
)

eip_mcp/api_client.py:146-149 (helper)

API client search_vulns() - sends GET request to /api/v1/vulns with cleaned parameters.

def search_vulns(params: dict[str, Any]) -> dict[str, Any]:
    """Search vulnerabilities. Returns raw API response dict."""
    clean = {k: v for k, v in params.items() if v is not None}
    return _request_json("/api/v1/vulns", params=clean)

Tool Definition Quality

A4.1/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The description adds behavioral context beyond annotations by detailing the return format, default sort logic, and filter capabilities. Annotations already indicate read-only and idempotent nature, and the description does not contradict them.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is reasonably concise for a tool with 21 parameters. It is front-loaded with the main purpose and includes examples. Every sentence adds value, though it could be slightly more streamlined without losing clarity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity (21 parameters, no output schema), the description provides sufficient context about the return values, filter options, and sort behavior. It covers most needed information, though pagination details are not expanded beyond the schema.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, and each parameter is well-documented in the schema. The description adds usage context and examples but does not provide additional parameter-level semantics beyond what is already in the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool searches for vulnerabilities (CVEs) and lists the specific attributes returned (CVSS, EPSS, exploit counts, etc.). It distinguishes from sibling tools like search_exploits by focusing on vulnerabilities. The purpose is specific and unambiguous.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides clear context for usage, including filter options and examples. It explains the automatic sort behavior when omitted. However, it does not explicitly state when not to use this tool versus alternatives, which would be helpful for differentiation.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/OyaAIProd/eip-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server