Skip to main content
Glama
badchars

cve-mcp

by badchars
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Remote

The Problem

Vulnerability intelligence is scattered across multiple databases. NVD has CVE details. EPSS tells you exploitation probability. CISA KEV tracks actively exploited vulns. GitHub Advisory covers open source packages. OSV maps vulnerabilities to specific package versions. No single tool aggregates them, and none work with AI agents.

Traditional workflow:
  search NVD for CVE details          →  navigate a clunky web UI
  check EPSS for exploitation risk    →  separate API, separate format
  look up CISA KEV status             →  download a JSON feed manually
  search GitHub advisories            →  yet another interface
  query OSV for package impact        →  different API, different schema
  correlate everything                →  copy-paste into a spreadsheet
  ──────────────────────────────────
  Total: 30+ minutes per CVE, longer for bulk triage

cve-mcp gives your AI agent 23 tools via the Model Context Protocol. The agent queries all five sources in parallel, correlates data, calculates risk scores, and tells you exactly what matters.

With cve-mcp:
  You: "Prioritize these 10 CVEs by actual exploitation risk"

  Agent: → fetches CVSS scores from NVD
         → gets EPSS exploitation probability for each
         → checks CISA KEV for actively exploited
         → cross-references GitHub advisories for patches
         → "3 are critical: CVE-2024-3400 (EPSS 97%, in KEV),
            CVE-2023-44487 (HTTP/2 rapid reset, EPSS 96%),
            CVE-2021-44228 (Log4Shell, EPSS 97%, in KEV).
            Here are patches and affected versions..."

Related MCP server: cybersecurity-vuln-mcp

How It's Different

Existing tools give you raw data. cve-mcp gives your AI agent the ability to reason about vulnerabilities.

Quick Start

Option 1: npx (no install)

npx cve-mcp

Option 2: Clone

git clone https://github.com/badchars/cve-mcp.git
cd cve-mcp
bun install

Environment variables (optional)

# Increases NVD rate limit from 5 to 50 requests per 30 seconds
export NVD_API_KEY=your-nvd-api-key

# Enables GitHub Advisory search (60 → 5000 requests/hour)
export GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Both are optional. The server works without them, just with lower rate limits.

Connect to your AI agent

# With npx
claude mcp add cve-mcp -- npx cve-mcp

# With local clone
claude mcp add cve-mcp -- bun run /path/to/cve-mcp/src/index.ts

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "cve-mcp": {
      "command": "npx",
      "args": ["cve-mcp"],
      "env": {
        "NVD_API_KEY": "optional-key",
        "GITHUB_TOKEN": "optional-token"
      }
    }
  }
}

Same JSON config format. Point the command to npx cve-mcp or your installation path.

Start querying

You: "What do you know about CVE-2024-3400?"

That's it. The agent handles the rest.

What The AI Can Do

Incident Response

You: "We got hit by CVE-2024-3400. Give me everything."

Agent: → cve_enrich {cveId: "CVE-2024-3400"}
       → NVD: PAN-OS command injection, CVSS 10.0
       → EPSS: 97.2% exploitation probability
       → KEV: Added 2024-04-12, due 2024-05-01
       → GHSA: No open source advisory (commercial product)
       → exploit_search: 23 PoC repos on GitHub
       → "Critical. Actively exploited in the wild.
          PAN-OS GlobalProtect, versions < 10.2.9-h1.
          Patch immediately. CISA deadline: May 1."

Vulnerability Prioritization

You: "Prioritize these CVEs from our scan: CVE-2021-44228, CVE-2024-3400,
      CVE-2023-44487, CVE-2024-21762, CVE-2023-4966"

Agent: → cve_prioritize {cves: [...]}
       → Ranks by CVSS × EPSS × KEV multiplier
       → "#1: CVE-2024-3400 (risk: 19.44, CVSS 10.0, EPSS 97%, KEV)
          #2: CVE-2021-44228 (risk: 19.40, CVSS 10.0, EPSS 97%, KEV)
          #3: CVE-2023-4966 (risk: 19.10, CVSS 9.4, EPSS 97%, KEV)
          All 5 are in CISA KEV — patch all immediately."

Dependency Audit

You: "Check if lodash 4.17.20 and django 3.2.0 have known vulnerabilities"

Agent: → osv_batch {queries: [
          {package: "lodash", version: "4.17.20", ecosystem: "npm"},
          {package: "django", version: "3.2.0", ecosystem: "PyPI"}
       ]}
       → "lodash 4.17.20: 3 vulnerabilities (prototype pollution)
          django 3.2.0: 12 vulnerabilities (SQL injection, XSS)
          Upgrade lodash to 4.17.21+, django to 4.2+"

Threat Monitoring

You: "What are the most likely to be exploited CVEs right now?"

Agent: → cve_trending {limit: 10, minEpss: 0.9}
       → "Top 10 by exploitation probability:
          1. CVE-2024-3400 — PAN-OS (EPSS 97.2%, CVSS 10.0, KEV)
          2. CVE-2023-44487 — HTTP/2 Rapid Reset (EPSS 96.5%, CVSS 7.5, KEV)
          ..."

CVSS Deep Dive

You: "Break down this CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"

Agent: → cvss_parse {vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}
       → "Score: 10.0 (CRITICAL)
          Network attack vector, no privileges required, no user interaction.
          Scope changed — can impact other components.
          Full compromise: confidentiality, integrity, and availability."

Tools Reference (23 tools)

Tool

Description

nvd_search

Search CVEs by keyword, severity, CWE, date range

nvd_get

Get full CVE details (CVSS, CWE, CPE, references)

nvd_recent

Recently published/modified CVEs

cve_by_product

Search CVEs by product name (CPE keyword match)

Tool

Description

epss_score

EPSS exploitation probability for one or more CVEs

epss_top

Top CVEs by exploitation probability

Tool

Description

kev_check

Check if CVE(s) are in CISA Known Exploited Vulnerabilities catalog

kev_search

Search KEV by vendor, product, or keyword

kev_recent

Recently added KEV entries

Tool

Description

ghsa_search

Search GitHub security advisories by keyword, ecosystem, severity

ghsa_get

Get advisory details by GHSA ID or CVE ID

Tool

Description

osv_query

Query vulnerabilities for a specific package version

osv_get

Get vulnerability details by OSV/GHSA/CVE ID

osv_batch

Batch query multiple packages at once

Tool

Description

exploit_search

Search for public PoC exploits (GitHub repositories)

Tool

Description

cwe_lookup

Look up CWE weakness by ID or search by keyword

Tool

Description

cvss_parse

Parse and explain a CVSS v3.1 vector string with score calculation

Tool

Description

cve_enrich

Full enrichment: NVD + EPSS + KEV + GHSA + OSV in parallel

cve_prioritize

Rank CVEs by risk (CVSS × EPSS × KEV multiplier)

cve_trending

Currently trending CVEs by exploitation probability

cve_compare

Side-by-side comparison of two CVEs

cve_list_sources

List all data sources and their availability

cve_report

Generate a markdown vulnerability report

Data Sources

Source

Auth

What it provides

NVD

Optional NVD_API_KEY

CVE details, CVSS scores, CWE mappings, CPE affected products, references

EPSS

None

Exploitation probability score (0-1) and percentile ranking

CISA KEV

None

Known exploited vulnerabilities with remediation deadlines

GitHub Advisory

Optional GITHUB_TOKEN

Open source security advisories, affected packages, severity

OSV

None

Package-level vulnerability data across 16+ ecosystems

Risk Score Formula

Risk Score = CVSS Base Score × EPSS Score × KEV Multiplier

Where:
  CVSS Base Score  = 0-10 (severity from NVD)
  EPSS Score       = 0-1 (exploitation probability from FIRST)
  KEV Multiplier   = 2 if in CISA KEV, 1 otherwise

This gives a practical risk score that balances severity (CVSS) with real-world exploitation likelihood (EPSS) and known active exploitation (KEV).

Architecture

src/
├── index.ts                    Entry point + MCP stdio
├── types/
│   └── index.ts                ToolDef, ToolContext, ToolResult, API types
├── protocol/
│   ├── tools.ts                23 tool definitions (Zod schemas)
│   └── mcp-server.ts           MCP server + stdio transport
├── nvd/
│   ├── index.ts                NVD API v2 — search, get, recent
│   └── cpe.ts                  Product/CPE search
├── epss/
│   └── index.ts                EPSS — score, top
├── kev/
│   └── index.ts                KEV — check, search, recent (cached)
├── ghsa/
│   └── index.ts                GitHub Advisory — search, get
├── osv/
│   └── index.ts                OSV — query, get, batch
├── exploit/
│   └── index.ts                PoC search via GitHub repos
├── cwe/
│   └── index.ts                CWE database (40+ entries embedded)
├── cvss/
│   └── index.ts                CVSS v3.1 parser + score calculator
├── meta/
│   ├── enrich.ts               Full CVE enrichment (all sources)
│   ├── prioritize.ts           Risk-based CVE ranking
│   ├── trending.ts             Trending CVEs by EPSS
│   ├── compare.ts              Side-by-side CVE comparison
│   └── sources.ts              Data source health check
└── utils/
    ├── rate-limiter.ts          Queue-based rate limiter (NVD)
    └── cache.ts                 TTL cache (NVD results)

Design decisions:

  • Intelligence, not audit — Unlike cloud-audit-mcp and github-security-mcp, this is a data tool. No CheckResult, no findings accumulation. Each query is independent and stateless.

  • Parallel enrichmentcve_enrich calls all 5 sources via Promise.allSettled. If one source is down, the rest still return data.

  • Shared rate limiter — All NVD modules share a single RateLimiter instance (6s between requests) to avoid 429 errors.

  • KEV caching — The full KEV catalog (~1200 entries, ~200KB) is loaded once and cached in memory with 1-hour TTL.

  • NVD result caching — Individual CVE lookups are cached with 10-minute TTL to avoid redundant API calls during enrichment.

  • Embedded CWE database — 40+ top CWEs from OWASP/MITRE embedded as static data. No external API needed.

  • Full CVSS calculator — CVSS v3.1 base score calculation algorithm implemented locally. Parses any vector string and explains each metric.

  • 2 dependencies@modelcontextprotocol/sdk and zod. Nothing else.

Limitations

  • NVD API without NVD_API_KEY is limited to 5 requests per 30 seconds. Set the key for production use

  • GitHub Advisory search without GITHUB_TOKEN is limited to 60 requests per hour

  • Exploit search uses GitHub repository search which has its own rate limits

  • CVSS parser supports v3.1 only (v2 and v4 vectors are not parsed, though v2 scores are returned from NVD)

  • CWE database is embedded (40+ entries) rather than comprehensive (1000+ in full MITRE database)

  • macOS / Linux (Windows not tested)

Part of the MCP Security Suite

Project

Domain

Tools

hackbrowser-mcp

Browser-based security testing

39 tools, Firefox, injection testing

cloud-audit-mcp

Cloud security (AWS/Azure/GCP)

38 tools, 60+ checks

github-security-mcp

GitHub security posture

39 tools, 45 checks

cve-mcp

Vulnerability intelligence

23 tools, 5 sources

Install Server
A
license - permissive license
A
quality
D
maintenance

How are these scores calculated?

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

View all tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/cve-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server