CVE MCP Server

Look up a CVE by ID from NVD. Returns full details including CVSS scores, description, weaknesses, and CISA KEV status.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

Search NVD for CVEs by keyword and optional severity filter.

Args: query: Keyword to search (letters, numbers, spaces, hyphens, dots — max 200 chars) severity: Optional CVSS v3 severity filter: NONE, LOW, MEDIUM, HIGH, CRITICAL limit: Max results (1–50, default 10)

Check a package for known vulnerabilities via OSV.dev.

Args: package: Package name (e.g. log4j-core, requests, lodash) ecosystem: Package ecosystem — PyPI, npm, Go, Maven, NuGet, crates.io, Packagist, Hex, RubyGems, Android, CocoaPods, GitHub Actions version: Optional specific version to check (e.g. 2.14.1)

Get EPSS (Exploit Prediction Scoring System) scores for one or more CVEs.

Args: cve_ids: Comma-separated CVE IDs (e.g. CVE-2021-44228,CVE-2022-22965)

Check if a CVE is in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

Parse and explain a CVSS vector string (v2, v3.x, or v4.0).

Args: vector: CVSS vector string (e.g. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Get a comprehensive one-page summary of a CVE: severity, EPSS, KEV status, description, weaknesses, and timeline. Fetches NVD + EPSS concurrently.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

Check the health of the CVE MCP server: NVD connectivity, KEV catalog status, and cache statistics.

Note: This tool pings NVD without rate limiting — do not call it in a loop.

Check an IP address reputation via AbuseIPDB and GreyNoise Community. Returns abuse confidence score, country, ISP, Tor status, and noise classification.

Args: ip: IPv4 or IPv6 address to check (e.g. 1.2.3.4 or 2001:db8::1)

Get domain intelligence: certificate transparency logs (crt.sh) and passive DNS records (CIRCL PDNS). Returns subdomains and certificate history.

Args: domain: Domain name to investigate (e.g. example.com)

Query CIRCL Passive DNS for historical DNS resolutions of an IP or domain. Shows what hostnames have resolved to this IP, or what IPs a domain has pointed to.

Args: ip_or_domain: IPv4/IPv6 address or domain name to query

Look up a host on Shodan: open ports, running services, OS, CVEs on the host. Requires SHODAN_KEY environment variable.

Args: ip: IPv4 address to look up (e.g. 8.8.8.8)

Look up a file hash (MD5/SHA1/SHA256) against MalwareBazaar and VirusTotal. Returns malware family, detection stats, and file metadata.

Args: hash_str: MD5 (32 hex), SHA1 (40 hex), or SHA256 (64 hex) hash

Check a URL or domain for malicious activity via URLScan.io. Returns scan verdicts, malicious flag, score, and categories.

Args: url_or_domain: URL (https://example.com/path) or bare domain (example.com)

Look up an IOC (IP, domain, URL, or hash) against ThreatFox for malware family attribution. Returns confidence level, IOC type, and threat classification.

Args: ioc: Indicator of Compromise — IP address, domain, URL, MD5/SHA256 hash

Check if a Bitcoin address is associated with a known ransomware family using the Ransomwhere database.

Args: bitcoin_address: Bitcoin wallet address to look up (P2PKH, P2SH, or bech32)

Fetch vendor security advisories for a CVE from Microsoft (MSRC), Red Hat, and Ubuntu. Shows patch availability and affected products.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

Search GitHub for public proof-of-concept (PoC) exploit repositories for a CVE. Results are sorted by star count to surface the most credible exploits first.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

Map a CVE to MITRE ATT&CK techniques and associated threat groups. Downloads the ATT&CK dataset lazily (cached 24h). Searches technique descriptions and references for the CVE ID.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

Build a complete CVE lifecycle timeline: NVD publication date, EPSS score history, CISA KEV addition date, patch lag, and exploit window estimation.

Args: cve_id: CVE identifier (e.g. CVE-2021-44228)

Bulk scan application dependencies for known CVEs via OSV.dev. Supports requirements.txt (PyPI), package.json (npm), pom.xml (Maven), or generic 'name:ecosystem:version' lines. Returns only vulnerable packages.

Args: dependency_list: Raw contents of requirements.txt, package.json, pom.xml, or newline-separated 'name:ecosystem:version' entries. Max 1000 packages per call.

Scan container image packages (Alpine, Debian, Ubuntu OS packages) for known CVEs via OSV.dev. Input should be 'name:ecosystem:version' lines, one package per line, e.g. from 'apk info -v' or 'dpkg -l' output.

Supported ecosystems: Alpine, Debian, Ubuntu, and any OSV-supported ecosystem.

Args: packages: Newline-separated 'name:ecosystem:version' entries. Example: openssl:Alpine:3.0.7-r0 musl:Alpine:1.2.4_r2 libssl3:Debian:3.0.7-1

Search GitHub public repositories for potential exposed credentials or secrets related to a search term (CVE ID, tool name, or keyword). Requires GITHUB_TOKEN for best results. For security research only.

Args: search_term: CVE ID, tool name, or keyword to search for in public repo files (e.g. CVE-2024-1234, AWS_SECRET_ACCESS_KEY, log4j)

Search for proof-of-concept exploits across GitHub, Exploit-DB, and Nuclei templates.

Calculate a composite 0-100 risk score using CVSS, EPSS, KEV, and PoC data.

Generate a vulnerability report in executive, technical, or full format.

Compare multiple CVEs by risk score and generate a patch priority ranking.