Skip to main content
Glama
badchars
by badchars

The Problem

Vulnerability intelligence is scattered across multiple databases. NVD has CVE details. EPSS tells you exploitation probability. CISA KEV tracks actively exploited vulns. GitHub Advisory covers open source packages. OSV maps vulnerabilities to specific package versions. Shodan tracks internet exposure. Nuclei and Metasploit tell you if there's a working exploit. No single tool aggregates them, and none work with AI agents.

Traditional workflow:
  search NVD for CVE details          →  navigate a clunky web UI
  check EPSS for exploitation risk    →  separate API, separate format
  look up CISA KEV status             →  download a JSON feed manually
  search GitHub advisories            →  yet another interface
  query OSV for package impact        →  different API, different schema
  check Shodan for exposure           →  separate subscription
  look for Nuclei/MSF exploits        →  manual GitHub search
  map to ATT&CK techniques            →  separate MITRE lookup
  correlate everything                →  copy-paste into a spreadsheet
  ──────────────────────────────────
  Total: 30+ minutes per CVE, longer for bulk triage

cve-mcp gives your AI agent 41 tools via the Model Context Protocol. The agent queries 11 sources in parallel, correlates data, detects weaponization signals, calculates risk scores, and tells you exactly what matters.

With cve-mcp:
  You: "Prioritize these 10 CVEs by actual exploitation risk"

  Agent: → fetches CVSS scores from NVD
         → gets EPSS exploitation probability for each
         → checks CISA KEV for actively exploited
         → cross-references GitHub advisories for patches
         → "3 are critical: CVE-2024-3400 (EPSS 97%, in KEV),
            CVE-2023-44487 (HTTP/2 rapid reset, EPSS 96%),
            CVE-2021-44228 (Log4Shell, EPSS 97%, in KEV).
            Here are patches and affected versions..."

Related MCP server: cybersecurity-vuln-mcp

How It's Different

Existing tools give you raw data. cve-mcp gives your AI agent the ability to reason about vulnerabilities.


Quick Start

Option 1: npx (no install)

npx cve-mcp

Option 2: Clone

git clone https://github.com/badchars/cve-mcp.git
cd cve-mcp
bun install

Environment variables (all optional)

# Increases NVD rate limit from 5 to 50 requests per 30 seconds
export NVD_API_KEY=your-nvd-api-key

# Enables GitHub Advisory search (60 → 5000 requests/hour)
export GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# VulnCheck extended KEV, CPE, PURL search
export VULNCHECK_API_KEY=your-vulncheck-key

# Vulners vulnerability search across 200+ sources
export VULNERS_API_KEY=your-vulners-key

# AttackerKB community assessments
export ATTACKERKB_API_KEY=your-attackerkb-key

All are optional. The server works without them — some tools just have lower rate limits or reduced data.

Connect to your AI agent

# With npx
claude mcp add cve-mcp -- npx cve-mcp

# With local clone
claude mcp add cve-mcp -- bun run /path/to/cve-mcp/src/index.ts

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "cve-mcp": {
      "command": "npx",
      "args": ["cve-mcp"],
      "env": {
        "NVD_API_KEY": "optional-key",
        "GITHUB_TOKEN": "optional-token",
        "VULNCHECK_API_KEY": "optional-key",
        "VULNERS_API_KEY": "optional-key",
        "ATTACKERKB_API_KEY": "optional-key"
      }
    }
  }
}

Same JSON config format. Point the command to npx cve-mcp or your installation path.

Start querying

You: "What do you know about CVE-2024-3400?"

That's it. The agent handles the rest.


What The AI Can Do

Incident Response

You: "We got hit by CVE-2024-3400. Give me everything."

Agent: → cve_enrich {cveId: "CVE-2024-3400"}
       → NVD: PAN-OS command injection, CVSS 10.0
       → EPSS: 97.2% exploitation probability
       → KEV: Added 2024-04-12, due 2024-05-01
       → Shodan: 4 CPEs, internet-exposed
       → Nuclei: Detection template exists (critical)
       → Metasploit: Exploit module available (excellent rank)
       → "Critical. Weaponized — both Nuclei and MSF modules exist.
          PAN-OS GlobalProtect, versions < 10.2.9-h1.
          Patch immediately. CISA deadline: May 1."

Vulnerability Prioritization

You: "Prioritize these CVEs from our scan: CVE-2021-44228, CVE-2024-3400,
      CVE-2023-44487, CVE-2024-21762, CVE-2023-4966"

Agent: → cve_prioritize {cves: [...]}
       → Ranks by CVSS × EPSS × KEV multiplier
       → "#1: CVE-2024-3400 (risk: 19.44, CVSS 10.0, EPSS 97%, KEV)
          #2: CVE-2021-44228 (risk: 19.40, CVSS 10.0, EPSS 97%, KEV)
          #3: CVE-2023-4966 (risk: 19.10, CVSS 9.4, EPSS 97%, KEV)
          All 5 are in CISA KEV — patch all immediately."

Dependency Audit

You: "Check if lodash 4.17.20 and django 3.2.0 have known vulnerabilities"

Agent: → osv_batch {queries: [
          {package: "lodash", version: "4.17.20", ecosystem: "npm"},
          {package: "django", version: "3.2.0", ecosystem: "PyPI"}
       ]}
       → "lodash 4.17.20: 3 vulnerabilities (prototype pollution)
          django 3.2.0: 12 vulnerabilities (SQL injection, XSS)
          Upgrade lodash to 4.17.21+, django to 4.2+"

Threat Monitoring

You: "What are the most likely to be exploited CVEs right now?"

Agent: → cve_trending {limit: 10, minEpss: 0.9}
       → "Top 10 by exploitation probability:
          1. CVE-2024-3400 — PAN-OS (EPSS 97.2%, CVSS 10.0, KEV)
          2. CVE-2023-44487 — HTTP/2 Rapid Reset (EPSS 96.5%, CVSS 7.5, KEV)
          ..."

CVSS Deep Dive (v3.1 & v4.0)

You: "Break down this CVSS v4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"

Agent: → cvss_parse {vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}
       → "CVSS v4.0 — Score: 9.3 (CRITICAL)
          Network attack, low complexity, no attack requirements.
          No privileges, no user interaction.
          Vulnerable system: full C/I/A impact.
          Subsequent systems: no impact."

ATT&CK Mapping

You: "Map CVE-2024-3400 to MITRE ATT&CK techniques"

Agent: → cve_to_attack {cweIds: ["CWE-77"]}
       → "CWE-77 (Command Injection) maps to:
          T1059 — Command and Scripting Interpreter (Execution)
          T1190 — Exploit Public-Facing Application (Initial Access)"

Tools Reference (41 tools)

Tool

Description

nvd_search

Search CVEs by keyword, severity, CWE, date range

nvd_get

Get full CVE details (CVSS, CWE, CPE, references)

nvd_recent

Recently published/modified CVEs

cve_by_product

Search CVEs by product name (CPE keyword match)

Tool

Description

epss_score

EPSS exploitation probability for one or more CVEs

epss_top

Top CVEs by exploitation probability

Tool

Description

kev_check

Check if CVE(s) are in CISA Known Exploited Vulnerabilities catalog

kev_search

Search KEV by vendor, product, or keyword

kev_recent

Recently added KEV entries

Tool

Description

ghsa_search

Search GitHub security advisories by keyword, ecosystem, severity

ghsa_get

Get advisory details by GHSA ID or CVE ID

Tool

Description

osv_query

Query vulnerabilities for a specific package version

osv_get

Get vulnerability details by OSV/GHSA/CVE ID

osv_batch

Batch query multiple packages at once

Tool

Description

exploit_search

Search for public PoC exploits (GitHub repositories)

Tool

Description

shodan_cve

CVE lookup via Shodan CVEDB (EPSS, KEV, CPE integrated, zero-auth)

shodan_product

Find CVEs by product/vendor name via Shodan

shodan_ip_vulns

Get known vulnerabilities for an IP address (InternetDB)

Tool

Description

vulncheck_kev

Extended KEV catalog (~80% more entries than CISA)

vulncheck_cpe

CVE search by CPE string

vulncheck_purl

CVE search by Package URL (purl)

Tool

Description

vulners_lookup

CVE details from Vulners (200+ sources, exploit refs)

vulners_search

Full-text vulnerability search across Vulners database

Tool

Description

nuclei_check

Check if a Nuclei detection template exists for a CVE

msf_check

Check if a Metasploit exploit module exists for a CVE

Tool

Description

cpe_search

Search NVD CPE dictionary by keyword

cpe_match

Get CPE matches for a specific CVE

Tool

Description

circl_cve

CIRCL CVE enrichment (CAPEC, alt references, impact vectors)

Tool

Description

attackerkb_assess

Community assessments from AttackerKB (attacker value, exploitability)

Tool

Description

cve_to_attack

Map CVE CWE IDs to MITRE ATT&CK techniques and tactics

Tool

Description

cwe_lookup

Look up CWE weakness by ID or search by keyword (static DB)

cwe_get

Full CWE details from MITRE API (1000+ CWEs, mitigations, examples)

cwe_hierarchy

CWE parent/child hierarchy from MITRE API

cwe_top25

MITRE CWE Top 25 Most Dangerous Software Weaknesses

Tool

Description

cvss_parse

Parse and explain CVSS v3.1 or v4.0 vector string with score calculation

Tool

Description

cve_enrich

Full enrichment: NVD + EPSS + KEV + GHSA + OSV + Shodan + Nuclei + MSF in parallel

cve_prioritize

Rank CVEs by risk (CVSS × EPSS × KEV × Exploit multiplier)

cve_trending

Currently trending CVEs by exploitation probability

cve_compare

Side-by-side comparison of two CVEs

cve_list_sources

List all 11 data sources and their availability

cve_report

Generate a markdown vulnerability report


Data Sources

Source

Auth

What it provides

NVD

Optional NVD_API_KEY

CVE details, CVSS scores, CWE mappings, CPE affected products, references

EPSS

None

Exploitation probability score (0-1) and percentile ranking

CISA KEV

None

Known exploited vulnerabilities with remediation deadlines

GitHub Advisory

Optional GITHUB_TOKEN

Open source security advisories, affected packages, severity

OSV

None

Package-level vulnerability data across 16+ ecosystems

Shodan CVEDB

None

CVE lookup with integrated EPSS/KEV/CPE, IP vulnerability scan

VulnCheck

Optional VULNCHECK_API_KEY

Extended KEV (~80% more entries), CPE/PURL vulnerability search

Vulners

Optional VULNERS_API_KEY

Vulnerability search across 200+ sources, exploit references

Nuclei Templates

None

CVE detection template existence check (severity, tags)

Metasploit

None

Exploit module existence check (type, rank, path)

CIRCL

None

CVE enrichment with CAPEC mapping, alt references, impact vectors

AttackerKB

Optional ATTACKERKB_API_KEY

Community assessments (attacker value, exploitability ratings)

MITRE ATT&CK

None

CWE-to-ATT&CK technique mapping (tactics, techniques)

MITRE CWE

None

Full CWE database (1000+ weaknesses, hierarchy, mitigations)

Risk Score Formula

Risk Score = CVSS Base Score × EPSS Score × KEV Multiplier × Exploit Multiplier

Where:
  CVSS Base Score     = 0-10 (severity from NVD)
  EPSS Score          = 0-1 (exploitation probability from FIRST)
  KEV Multiplier      = 2 if in CISA KEV, 1 otherwise
  Exploit Multiplier  = 1.5 if Nuclei template OR Metasploit module exists, 1 otherwise

This gives a practical risk score that balances severity (CVSS) with real-world exploitation likelihood (EPSS), known active exploitation (KEV), and weaponization signals (public exploit tooling).


Architecture

src/
├── index.ts                    Entry point + MCP stdio
├── types/
│   └── index.ts                ToolDef, ToolContext, ToolResult, API types
├── protocol/
│   ├── tools.ts                41 tool definitions (Zod schemas)
│   └── mcp-server.ts           MCP server + stdio transport
├── nvd/
│   ├── index.ts                NVD API v2 — search, get, recent
│   └── cpe.ts                  Product/CPE search
├── epss/
│   └── index.ts                EPSS — score, top
├── kev/
│   └── index.ts                KEV — check, search, recent (cached)
├── ghsa/
│   └── index.ts                GitHub Advisory — search, get
├── osv/
│   └── index.ts                OSV — query, get, batch
├── exploit/
│   └── index.ts                PoC search via GitHub repos
├── shodan/
│   └── index.ts                Shodan CVEDB + InternetDB (zero-auth)
├── vulncheck/
│   └── index.ts                VulnCheck KEV, CPE, PURL
├── vulners/
│   └── index.ts                Vulners search + lookup
├── nuclei/
│   └── index.ts                Nuclei template existence check
├── metasploit/
│   └── index.ts                MSF module check (cached metadata)
├── cpe/
│   └── index.ts                NVD CPE dictionary API
├── circl/
│   └── index.ts                CIRCL CVE enrichment
├── attackerkb/
│   └── index.ts                AttackerKB assessments
├── attack/
│   └── index.ts                CWE → MITRE ATT&CK mapping
├── cwe/
│   └── index.ts                CWE API (MITRE) + static fallback
├── cvss/
│   └── index.ts                CVSS v3.1 + v4.0 parser + calculator
├── meta/
│   ├── enrich.ts               Full CVE enrichment (8 sources parallel)
│   ├── prioritize.ts           Risk-based CVE ranking
│   ├── trending.ts             Trending CVEs by EPSS
│   ├── compare.ts              Side-by-side CVE comparison
│   └── sources.ts              11 source health checks
└── utils/
    ├── rate-limiter.ts          Queue-based rate limiter
    └── cache.ts                 TTL cache

Design decisions:

  • Intelligence, not audit — Unlike cloud-audit-mcp and github-security-mcp, this is a data tool. No CheckResult, no findings accumulation. Each query is independent and stateless.

  • Parallel enrichmentcve_enrich calls 8 sources via Promise.allSettled. If one source is down, the rest still return data.

  • Weaponization detection — Checks Nuclei template and Metasploit module existence to flag CVEs with public exploit tooling.

  • Shared rate limiter — All NVD modules share a single RateLimiter instance (6s between requests) to avoid 429 errors.

  • KEV + MSF caching — KEV catalog (~1200 entries) and MSF module metadata (~15MB) loaded once, cached with 1-hour TTL.

  • CWE dual-mode — MITRE CWE REST API for full detail (1000+ CWEs), with 40+ entry static fallback when API is unreachable.

  • CVSS v3.1 + v4.0 — Auto-detects version from vector prefix. V4.0 uses MacroVector scoring approach.

  • ATT&CK mapping — Static CWE-to-technique table (33 CWE entries → ATT&CK techniques). No API calls.

  • 2 dependencies@modelcontextprotocol/sdk and zod. Nothing else.


Limitations

  • NVD API without NVD_API_KEY is limited to 5 requests per 30 seconds. Set the key for production use

  • GitHub Advisory search without GITHUB_TOKEN is limited to 60 requests per hour

  • VulnCheck, Vulners, and AttackerKB require API keys for full functionality

  • Exploit search uses GitHub repository search which has its own rate limits

  • MSF module metadata (~15MB) is loaded on first use — initial msf_check call is slower

  • CVSS v4.0 scoring uses MacroVector approximation (exact specification is very complex)

  • ATT&CK mapping covers 33 CWE entries — uncommon CWEs may not map

  • macOS / Linux (Windows not tested)


Part of the MCP Security Suite

Project

Domain

Tools

hackbrowser-mcp

Browser-based security testing

39 tools, Firefox, injection testing

cloud-audit-mcp

Cloud security (AWS/Azure/GCP)

38 tools, 60+ checks

github-security-mcp

GitHub security posture

39 tools, 45 checks

cve-mcp

Vulnerability intelligence

41 tools, 11 sources


Install Server
A
license - permissive license
A
quality
A
maintenance

Maintenance

Maintainers
Response time
1wRelease cycle
2Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/cve-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server