MCP Vulnerability Reporting
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP Vulnerability ReportingCreate a vulnerability report for SQL injection on https://example.com/login"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Vulnerability Reporting
Professional vulnerability report generator for security assessments. This MCP server creates standardized, well-formatted security reports following industry best practices.
⚠️ IMPORTANT: AI-Generated Content
This MCP does not use pre-written templates. Instead, the AI (Claude) generates all report content based on the specific vulnerability instance. The report structure follows the template format from /Users/orhanyildirim/Desktop/mcp-browser-injection-extented/report.md, but the content is dynamically created for each unique finding.
What the AI Generates:
✅ Vulnerability Overview (educational description of the vulnerability type)
✅ Specific Findings (detailed analysis of this instance)
✅ Steps to Reproduce (customized for the target application)
✅ Recommendations (actionable remediation guidance)
✅ Impacts (business and technical impact analysis)
✅ References (OWASP, CWE, security resources)
Related MCP server: VulneraMCP
Features
AI-Powered Content Generation: Claude generates comprehensive, contextual report content for each vulnerability
Template Structure Compliance: Maintains the exact format from your report template
Flexible Content: Adapts to different vulnerability types, severities, and application contexts
CVSS Scoring: Automated CVSS v3.1 score and vector calculation
Evidence Management: Support for screenshots, HTTP requests/responses, PoC code
Markdown Export: Professional markdown reports ready for bug bounty submissions or pentest deliverables
Reference Database: Fallback to default OWASP/CWE references if AI doesn't provide custom ones
Installation
npm install
npm run buildUsage with Claude Desktop
Add to your Claude Desktop configuration file:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"browser-automation": {
"command": "node",
"args": ["/Users/your-username/Desktop/mcp-browser-injection-extented/dist/index.js"]
},
"vulnerability-reporting": {
"command": "node",
"args": ["/Users/your-username/Desktop/mcp-vulnerability-reporting/dist/index.js"]
}
}
}Tools Available
1. create_vulnerability_report
Creates a new vulnerability report with AI-generated content following the template structure.
IMPORTANT: The AI must generate all content sections. This tool does NOT use pre-written templates.
Parameters:
vulnerability: Object containing vulnerability detailstype: Vulnerability type (e.g., SQL_INJECTION, XSS, SSTI)severity: Severity level (Critical, High, Medium, Low, Informational)url: Target URLparameter: Vulnerable parameter namepayload: Successful payloadaffectedEndpoint(optional): Specific endpointmethod(optional): HTTP method
overview: AI-GENERATED - General description of the vulnerability type (what is it, how does it work, why is it dangerous)findings: Object with specific findingsspecificDescription: AI-GENERATED - Detailed description of this specific instancedetectedBehaviors: Array of observed behaviors (from testing)confidence: Detection confidence level
stepsToReproduce: AI-GENERATED - Array of step-by-step reproduction instructionsrecommendations: AI-GENERATED - Array of remediation recommendations with format:"- **Bold Header**: Detailed explanation"
impacts: AI-GENERATED - Array of potential impacts with format:"- **Bold Header**: What could happen"
references(optional): Array of security referencesIf not provided, template defaults are used
Returns: Report ID for future operations
2. add_evidence_to_report
Adds evidence to an existing report.
Parameters:
reportId: Target report IDevidenceType: Type of evidence (screenshot, request, response, poc, code)content: Evidence content or file pathdescription: Evidence description
3. calculate_cvss_score
Calculates CVSS score and vector for a report.
Parameters:
reportId: Target report ID
4. export_report
Exports report as markdown file.
Parameters:
reportId: Report ID to exportoutputPath: Output file path
5. list_reports
Lists all generated reports.
6. get_report_preview
Previews report in markdown format.
Parameters:
reportId: Report ID to preview
7. get_report_template
Gets the exact report template format that AI should follow. Use this before creating reports to understand the required structure.
Parameters: None
Returns: The template with detailed formatting instructions for AI content generation
Example Workflow with Browser MCP
Here's how to use both MCPs together. Claude generates all report content:
User: "Test https://vulnerable-site.com/login for SQL injection and create a professional report"
Claude uses Browser MCP:
1. browser_navigate({ url: "https://vulnerable-site.com/login" })
2. browser_test_payload({
targetSelector: "#username",
payload: "' OR 1=1--",
submitSelector: "#login"
})
// Returns: { isVulnerable: true, confidence: "high", detectedBehaviors: [...] }
3. browser_screenshot({ path: "./evidence/sqli-bypass.png" })
Claude uses Reporting MCP (AI GENERATES ALL CONTENT):
4. get_report_template()
// Returns: Template with exact structure and formatting requirements
5. create_vulnerability_report({
vulnerability: {
type: "SQL_INJECTION",
severity: "Critical",
url: "https://vulnerable-site.com/login",
parameter: "username",
payload: "' OR 1=1--",
method: "POST"
},
// AI WRITES THIS OVERVIEW:
overview: "SQL Injection is a code injection technique that exploits security vulnerabilities in an application's database layer. This vulnerability occurs when user-supplied input is incorporated into SQL queries without proper sanitization...",
findings: {
// AI WRITES THIS SPECIFIC DESCRIPTION:
specificDescription: "The login form at /login endpoint is vulnerable to SQL injection via the username parameter. The application directly concatenates user input into SQL queries without using parameterized statements...",
detectedBehaviors: ["SQL_ERROR_MESSAGE", "AUTHENTICATION_BYPASS"],
confidence: "high"
},
// AI GENERATES THESE STEPS:
stepsToReproduce: [
"Navigate to https://vulnerable-site.com/login",
"In the username field, enter: ' OR 1=1--",
"In the password field, enter any value",
"Click the login button",
"Observe successful authentication bypass",
"Verify by checking session cookie"
],
// AI WRITES THESE RECOMMENDATIONS:
recommendations: [
"- **Use Parameterized Queries**: Implement prepared statements with parameterized queries for all database interactions...",
"- **Input Validation**: Implement strict server-side input validation...",
"- **Principle of Least Privilege**: Configure database accounts with minimal permissions..."
],
// AI WRITES THESE IMPACTS:
impacts: [
"- **Complete Authentication Bypass**: An attacker can bypass the login mechanism entirely...",
"- **Sensitive Data Exfiltration**: Using UNION-based attacks, attackers can extract database contents...",
"- **Database Manipulation**: Attackers could modify or delete records..."
]
})
6. add_evidence_to_report({
reportId: "vuln_report_xxx",
evidenceType: "screenshot",
content: "./evidence/sqli-bypass.png",
description: "Authentication Bypass - Successfully logged in as admin"
})
7. calculate_cvss_score({ reportId: "vuln_report_xxx" })
8. export_report({
reportId: "vuln_report_xxx",
outputPath: "./reports/sql-injection-login-bypass.md"
})See USAGE_EXAMPLE.md for a complete detailed example.
Report Format
Reports follow the exact template structure from /Users/orhanyildirim/Desktop/mcp-browser-injection-extented/report.md:
## Vulnerability Overview
[AI-generated general description of vulnerability type]
### Finding Details
[AI-generated specific findings for this instance]
### Steps To Reproduce
1. [AI-generated step]
2. [AI-generated step]
...
## Recommendations
To address this finding, implement the following:
[AI-generated recommendations with bold headers]
## References
See the following for more information:
[AI-generated or template default references]
## Impacts
If not addressed, this finding could lead to the following:
[AI-generated impacts with bold headers]How It Works
Template Loading: MCP reads
report.mdtemplate from its directoryAI Reads Template: Use
get_report_template()to see the exact structure requiredTemplate Structure: The markdown format is fixed and matches your report template exactly
AI Content: Claude generates all descriptive content based on:
The specific vulnerability found during testing
Security best practices and industry standards
Context from the target application
Severity and confidence levels
Template format guidelines
Flexibility: Content adapts to different vulnerability types, applications, and contexts
Fallback References: If AI doesn't provide custom references, the vulnerability database provides defaults for common types (SQL Injection, XSS, SSTI, Command Injection, NoSQL, LDAP, XXE)
Development
# Run in development mode
npm run dev
# Build for production
npm run build
# Run production build
npm startArchitecture
index.ts: Main MCP server implementationvulnerability-db.ts: Vulnerability knowledge base with templatesdist/: Compiled JavaScript output
Integration with Browser Automation MCP
This MCP is designed to work seamlessly with the mcp-browser-injection-extended MCP server. The browser MCP handles:
Automated vulnerability testing
Payload generation and testing
Evidence collection (screenshots, HTTP responses)
The reporting MCP then transforms those findings into professional security reports.
License
MIT
Contributing
Contributions welcome! Please submit issues and pull requests.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/mcp-vulnerability-reporting'
If you have feedback or need assistance with the MCP directory API, please join our Discord server