cve-mcp
cve-mcp is an MCP server that unifies vulnerability intelligence from NVD, EPSS, CISA KEV, GitHub Advisory, and OSV into 23 tools for querying, analyzing, and prioritizing CVEs.
Search & Retrieve CVEs
Search NVD by keyword, CVSS severity, CWE ID, or date range
Get full CVE details (CVSS score, CWE, affected products/CPE, references)
Find CVEs by product/vendor name (e.g., Apache Log4j, OpenSSL)
Monitor recently published/modified CVEs
Assess Exploitation Risk
Get EPSS scores (exploitation probability + percentile) for one or more CVEs
List top CVEs by exploitation probability
Check Active Exploitation (CISA KEV)
Check if CVEs are in the CISA Known Exploited Vulnerabilities catalog
Search KEV by vendor, product, or keyword
Monitor newly added KEV entries
GitHub & OSV Advisory Queries
Search GitHub Security Advisories by keyword, ecosystem (npm, pip, maven, etc.), or severity
Get full advisory details by GHSA or CVE ID
Query OSV for package-level vulnerabilities; batch query multiple packages at once
Exploit & Weakness Intelligence
Search GitHub for public PoC exploit code related to a CVE (sorted by stars)
Look up CWE weaknesses by ID or keyword
CVSS Analysis
Parse and explain CVSS v3.x vector strings, including base score calculation and plain-English summary
Meta / Aggregated Intelligence
Full CVE enrichment: query all 5 sources in parallel with a computed unified risk score
Prioritize CVEs: rank a list by risk score (CVSS × EPSS × KEV multiplier) for triage
Trending CVEs: identify CVEs with the highest exploitation probability right now
Compare CVEs: side-by-side breakdown with a summary of which is more dangerous
Generate reports: produce markdown vulnerability reports with remediation priorities
List data sources: check availability and API key configuration status of all sources
Integrates with GitHub for searching security advisories (GHSA) and public exploit repositories.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@cve-mcpprioritize CVE-2024-3094 and CVE-2023-44487"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
The Problem
Vulnerability intelligence is scattered across multiple databases. NVD has CVE details. EPSS tells you exploitation probability. CISA KEV tracks actively exploited vulns. GitHub Advisory covers open source packages. OSV maps vulnerabilities to specific package versions. Shodan tracks internet exposure. Nuclei and Metasploit tell you if there's a working exploit. No single tool aggregates them, and none work with AI agents.
Traditional workflow:
search NVD for CVE details → navigate a clunky web UI
check EPSS for exploitation risk → separate API, separate format
look up CISA KEV status → download a JSON feed manually
search GitHub advisories → yet another interface
query OSV for package impact → different API, different schema
check Shodan for exposure → separate subscription
look for Nuclei/MSF exploits → manual GitHub search
map to ATT&CK techniques → separate MITRE lookup
correlate everything → copy-paste into a spreadsheet
──────────────────────────────────
Total: 30+ minutes per CVE, longer for bulk triagecve-mcp gives your AI agent 41 tools via the Model Context Protocol. The agent queries 11 sources in parallel, correlates data, detects weaponization signals, calculates risk scores, and tells you exactly what matters.
With cve-mcp:
You: "Prioritize these 10 CVEs by actual exploitation risk"
Agent: → fetches CVSS scores from NVD
→ gets EPSS exploitation probability for each
→ checks CISA KEV for actively exploited
→ cross-references GitHub advisories for patches
→ "3 are critical: CVE-2024-3400 (EPSS 97%, in KEV),
CVE-2023-44487 (HTTP/2 rapid reset, EPSS 96%),
CVE-2021-44228 (Log4Shell, EPSS 97%, in KEV).
Here are patches and affected versions..."Related MCP server: cybersecurity-vuln-mcp
How It's Different
Existing tools give you raw data. cve-mcp gives your AI agent the ability to reason about vulnerabilities.
Quick Start
Option 1: npx (no install)
npx cve-mcpOption 2: Clone
git clone https://github.com/badchars/cve-mcp.git
cd cve-mcp
bun installEnvironment variables (all optional)
# Increases NVD rate limit from 5 to 50 requests per 30 seconds
export NVD_API_KEY=your-nvd-api-key
# Enables GitHub Advisory search (60 → 5000 requests/hour)
export GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# VulnCheck extended KEV, CPE, PURL search
export VULNCHECK_API_KEY=your-vulncheck-key
# Vulners vulnerability search across 200+ sources
export VULNERS_API_KEY=your-vulners-key
# AttackerKB community assessments
export ATTACKERKB_API_KEY=your-attackerkb-keyAll are optional. The server works without them — some tools just have lower rate limits or reduced data.
Connect to your AI agent
# With npx
claude mcp add cve-mcp -- npx cve-mcp
# With local clone
claude mcp add cve-mcp -- bun run /path/to/cve-mcp/src/index.tsAdd to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"cve-mcp": {
"command": "npx",
"args": ["cve-mcp"],
"env": {
"NVD_API_KEY": "optional-key",
"GITHUB_TOKEN": "optional-token",
"VULNCHECK_API_KEY": "optional-key",
"VULNERS_API_KEY": "optional-key",
"ATTACKERKB_API_KEY": "optional-key"
}
}
}
}Same JSON config format. Point the command to npx cve-mcp or your installation path.
Start querying
You: "What do you know about CVE-2024-3400?"That's it. The agent handles the rest.
What The AI Can Do
Incident Response
You: "We got hit by CVE-2024-3400. Give me everything."
Agent: → cve_enrich {cveId: "CVE-2024-3400"}
→ NVD: PAN-OS command injection, CVSS 10.0
→ EPSS: 97.2% exploitation probability
→ KEV: Added 2024-04-12, due 2024-05-01
→ Shodan: 4 CPEs, internet-exposed
→ Nuclei: Detection template exists (critical)
→ Metasploit: Exploit module available (excellent rank)
→ "Critical. Weaponized — both Nuclei and MSF modules exist.
PAN-OS GlobalProtect, versions < 10.2.9-h1.
Patch immediately. CISA deadline: May 1."Vulnerability Prioritization
You: "Prioritize these CVEs from our scan: CVE-2021-44228, CVE-2024-3400,
CVE-2023-44487, CVE-2024-21762, CVE-2023-4966"
Agent: → cve_prioritize {cves: [...]}
→ Ranks by CVSS × EPSS × KEV multiplier
→ "#1: CVE-2024-3400 (risk: 19.44, CVSS 10.0, EPSS 97%, KEV)
#2: CVE-2021-44228 (risk: 19.40, CVSS 10.0, EPSS 97%, KEV)
#3: CVE-2023-4966 (risk: 19.10, CVSS 9.4, EPSS 97%, KEV)
All 5 are in CISA KEV — patch all immediately."Dependency Audit
You: "Check if lodash 4.17.20 and django 3.2.0 have known vulnerabilities"
Agent: → osv_batch {queries: [
{package: "lodash", version: "4.17.20", ecosystem: "npm"},
{package: "django", version: "3.2.0", ecosystem: "PyPI"}
]}
→ "lodash 4.17.20: 3 vulnerabilities (prototype pollution)
django 3.2.0: 12 vulnerabilities (SQL injection, XSS)
Upgrade lodash to 4.17.21+, django to 4.2+"Threat Monitoring
You: "What are the most likely to be exploited CVEs right now?"
Agent: → cve_trending {limit: 10, minEpss: 0.9}
→ "Top 10 by exploitation probability:
1. CVE-2024-3400 — PAN-OS (EPSS 97.2%, CVSS 10.0, KEV)
2. CVE-2023-44487 — HTTP/2 Rapid Reset (EPSS 96.5%, CVSS 7.5, KEV)
..."CVSS Deep Dive (v3.1 & v4.0)
You: "Break down this CVSS v4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
Agent: → cvss_parse {vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}
→ "CVSS v4.0 — Score: 9.3 (CRITICAL)
Network attack, low complexity, no attack requirements.
No privileges, no user interaction.
Vulnerable system: full C/I/A impact.
Subsequent systems: no impact."ATT&CK Mapping
You: "Map CVE-2024-3400 to MITRE ATT&CK techniques"
Agent: → cve_to_attack {cweIds: ["CWE-77"]}
→ "CWE-77 (Command Injection) maps to:
T1059 — Command and Scripting Interpreter (Execution)
T1190 — Exploit Public-Facing Application (Initial Access)"Tools Reference (41 tools)
Tool | Description |
| Search CVEs by keyword, severity, CWE, date range |
| Get full CVE details (CVSS, CWE, CPE, references) |
| Recently published/modified CVEs |
| Search CVEs by product name (CPE keyword match) |
Tool | Description |
| EPSS exploitation probability for one or more CVEs |
| Top CVEs by exploitation probability |
Tool | Description |
| Check if CVE(s) are in CISA Known Exploited Vulnerabilities catalog |
| Search KEV by vendor, product, or keyword |
| Recently added KEV entries |
Tool | Description |
| Search GitHub security advisories by keyword, ecosystem, severity |
| Get advisory details by GHSA ID or CVE ID |
Tool | Description |
| Query vulnerabilities for a specific package version |
| Get vulnerability details by OSV/GHSA/CVE ID |
| Batch query multiple packages at once |
Tool | Description |
| Search for public PoC exploits (GitHub repositories) |
Tool | Description |
| CVE lookup via Shodan CVEDB (EPSS, KEV, CPE integrated, zero-auth) |
| Find CVEs by product/vendor name via Shodan |
| Get known vulnerabilities for an IP address (InternetDB) |
Tool | Description |
| Extended KEV catalog (~80% more entries than CISA) |
| CVE search by CPE string |
| CVE search by Package URL (purl) |
Tool | Description |
| CVE details from Vulners (200+ sources, exploit refs) |
| Full-text vulnerability search across Vulners database |
Tool | Description |
| Check if a Nuclei detection template exists for a CVE |
| Check if a Metasploit exploit module exists for a CVE |
Tool | Description |
| Search NVD CPE dictionary by keyword |
| Get CPE matches for a specific CVE |
Tool | Description |
| CIRCL CVE enrichment (CAPEC, alt references, impact vectors) |
Tool | Description |
| Community assessments from AttackerKB (attacker value, exploitability) |
Tool | Description |
| Map CVE CWE IDs to MITRE ATT&CK techniques and tactics |
Tool | Description |
| Look up CWE weakness by ID or search by keyword (static DB) |
| Full CWE details from MITRE API (1000+ CWEs, mitigations, examples) |
| CWE parent/child hierarchy from MITRE API |
| MITRE CWE Top 25 Most Dangerous Software Weaknesses |
Tool | Description |
| Parse and explain CVSS v3.1 or v4.0 vector string with score calculation |
Tool | Description |
| Full enrichment: NVD + EPSS + KEV + GHSA + OSV + Shodan + Nuclei + MSF in parallel |
| Rank CVEs by risk (CVSS × EPSS × KEV × Exploit multiplier) |
| Currently trending CVEs by exploitation probability |
| Side-by-side comparison of two CVEs |
| List all 11 data sources and their availability |
| Generate a markdown vulnerability report |
Data Sources
Source | Auth | What it provides |
Optional | CVE details, CVSS scores, CWE mappings, CPE affected products, references | |
None | Exploitation probability score (0-1) and percentile ranking | |
None | Known exploited vulnerabilities with remediation deadlines | |
Optional | Open source security advisories, affected packages, severity | |
None | Package-level vulnerability data across 16+ ecosystems | |
None | CVE lookup with integrated EPSS/KEV/CPE, IP vulnerability scan | |
Optional | Extended KEV (~80% more entries), CPE/PURL vulnerability search | |
Optional | Vulnerability search across 200+ sources, exploit references | |
None | CVE detection template existence check (severity, tags) | |
None | Exploit module existence check (type, rank, path) | |
None | CVE enrichment with CAPEC mapping, alt references, impact vectors | |
Optional | Community assessments (attacker value, exploitability ratings) | |
None | CWE-to-ATT&CK technique mapping (tactics, techniques) | |
None | Full CWE database (1000+ weaknesses, hierarchy, mitigations) |
Risk Score Formula
Risk Score = CVSS Base Score × EPSS Score × KEV Multiplier × Exploit Multiplier
Where:
CVSS Base Score = 0-10 (severity from NVD)
EPSS Score = 0-1 (exploitation probability from FIRST)
KEV Multiplier = 2 if in CISA KEV, 1 otherwise
Exploit Multiplier = 1.5 if Nuclei template OR Metasploit module exists, 1 otherwiseThis gives a practical risk score that balances severity (CVSS) with real-world exploitation likelihood (EPSS), known active exploitation (KEV), and weaponization signals (public exploit tooling).
Architecture
src/
├── index.ts Entry point + MCP stdio
├── types/
│ └── index.ts ToolDef, ToolContext, ToolResult, API types
├── protocol/
│ ├── tools.ts 41 tool definitions (Zod schemas)
│ └── mcp-server.ts MCP server + stdio transport
├── nvd/
│ ├── index.ts NVD API v2 — search, get, recent
│ └── cpe.ts Product/CPE search
├── epss/
│ └── index.ts EPSS — score, top
├── kev/
│ └── index.ts KEV — check, search, recent (cached)
├── ghsa/
│ └── index.ts GitHub Advisory — search, get
├── osv/
│ └── index.ts OSV — query, get, batch
├── exploit/
│ └── index.ts PoC search via GitHub repos
├── shodan/
│ └── index.ts Shodan CVEDB + InternetDB (zero-auth)
├── vulncheck/
│ └── index.ts VulnCheck KEV, CPE, PURL
├── vulners/
│ └── index.ts Vulners search + lookup
├── nuclei/
│ └── index.ts Nuclei template existence check
├── metasploit/
│ └── index.ts MSF module check (cached metadata)
├── cpe/
│ └── index.ts NVD CPE dictionary API
├── circl/
│ └── index.ts CIRCL CVE enrichment
├── attackerkb/
│ └── index.ts AttackerKB assessments
├── attack/
│ └── index.ts CWE → MITRE ATT&CK mapping
├── cwe/
│ └── index.ts CWE API (MITRE) + static fallback
├── cvss/
│ └── index.ts CVSS v3.1 + v4.0 parser + calculator
├── meta/
│ ├── enrich.ts Full CVE enrichment (8 sources parallel)
│ ├── prioritize.ts Risk-based CVE ranking
│ ├── trending.ts Trending CVEs by EPSS
│ ├── compare.ts Side-by-side CVE comparison
│ └── sources.ts 11 source health checks
└── utils/
├── rate-limiter.ts Queue-based rate limiter
└── cache.ts TTL cacheDesign decisions:
Intelligence, not audit — Unlike cloud-audit-mcp and github-security-mcp, this is a data tool. No CheckResult, no findings accumulation. Each query is independent and stateless.
Parallel enrichment —
cve_enrichcalls 8 sources viaPromise.allSettled. If one source is down, the rest still return data.Weaponization detection — Checks Nuclei template and Metasploit module existence to flag CVEs with public exploit tooling.
Shared rate limiter — All NVD modules share a single
RateLimiterinstance (6s between requests) to avoid 429 errors.KEV + MSF caching — KEV catalog (~1200 entries) and MSF module metadata (~15MB) loaded once, cached with 1-hour TTL.
CWE dual-mode — MITRE CWE REST API for full detail (1000+ CWEs), with 40+ entry static fallback when API is unreachable.
CVSS v3.1 + v4.0 — Auto-detects version from vector prefix. V4.0 uses MacroVector scoring approach.
ATT&CK mapping — Static CWE-to-technique table (33 CWE entries → ATT&CK techniques). No API calls.
2 dependencies —
@modelcontextprotocol/sdkandzod. Nothing else.
Limitations
NVD API without
NVD_API_KEYis limited to 5 requests per 30 seconds. Set the key for production useGitHub Advisory search without
GITHUB_TOKENis limited to 60 requests per hourVulnCheck, Vulners, and AttackerKB require API keys for full functionality
Exploit search uses GitHub repository search which has its own rate limits
MSF module metadata (~15MB) is loaded on first use — initial
msf_checkcall is slowerCVSS v4.0 scoring uses MacroVector approximation (exact specification is very complex)
ATT&CK mapping covers 33 CWE entries — uncommon CWEs may not map
macOS / Linux (Windows not tested)
Part of the MCP Security Suite
Project | Domain | Tools |
Browser-based security testing | 39 tools, Firefox, injection testing | |
Cloud security (AWS/Azure/GCP) | 38 tools, 60+ checks | |
GitHub security posture | 39 tools, 45 checks | |
cve-mcp | Vulnerability intelligence | 41 tools, 11 sources |
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/cve-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server