π
Cve MCP
CVE/vulnerability intelligence MCP server β NVD, EPSS, KEV, GitHub Advisory, OSV
0 installs
Trust: 34 β Low
Security
Ask AI about Cve MCP
Powered by Claude Β· Grounded in docs
I know everything about Cve MCP. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Loading tools...
Reviews
Documentation
CVE & vulnerability intelligence for AI agents.
NVD, EPSS, CISA KEV, GitHub Advisory, and OSV β unified into a single MCP server.
Your AI agent gets vulnerability intelligence on demand, not a 200-page report.
The Problem β’ How It's Different β’ Quick Start β’ What The AI Can Do β’ Tools β’ Data Sources β’ Architecture
The Problem
Vulnerability intelligence is scattered across multiple databases. NVD has CVE details. EPSS tells you exploitation probability. CISA KEV tracks actively exploited vulns. GitHub Advisory covers open source packages. OSV maps vulnerabilities to specific package versions. No single tool aggregates them, and none work with AI agents.
Traditional workflow:
search NVD for CVE details β navigate a clunky web UI
check EPSS for exploitation risk β separate API, separate format
look up CISA KEV status β download a JSON feed manually
search GitHub advisories β yet another interface
query OSV for package impact β different API, different schema
correlate everything β copy-paste into a spreadsheet
ββββββββββββββββββββββββββββββββββ
Total: 30+ minutes per CVE, longer for bulk triage
cve-mcp gives your AI agent 23 tools via the Model Context Protocol. The agent queries all five sources in parallel, correlates data, calculates risk scores, and tells you exactly what matters.
With cve-mcp:
You: "Prioritize these 10 CVEs by actual exploitation risk"
Agent: β fetches CVSS scores from NVD
β gets EPSS exploitation probability for each
β checks CISA KEV for actively exploited
β cross-references GitHub advisories for patches
β "3 are critical: CVE-2024-3400 (EPSS 97%, in KEV),
CVE-2023-44487 (HTTP/2 rapid reset, EPSS 96%),
CVE-2021-44228 (Log4Shell, EPSS 97%, in KEV).
Here are patches and affected versions..."
How It's Different
Existing tools give you raw data. cve-mcp gives your AI agent the ability to reason about vulnerabilities.
| Traditional Tools | cve-mcp | |
|---|---|---|
| Interface | Web UI / CLI / raw API calls | MCP β AI agent calls tools conversationally |
| Data sources | One database at a time | NVD + EPSS + KEV + GHSA + OSV in parallel |
| Risk scoring | CVSS only (severity, not exploitability) | CVSS Γ EPSS Γ KEV = actual risk priority |
| Correlation | Manual copy-paste | Agent enriches: "This CVE has CVSS 9.8, EPSS 97%, is in KEV, affects lodash@4.17.20" |
| Bulk triage | One CVE at a time | Agent prioritizes 50 CVEs in a single conversation |
| Package impact | Separate OSV/GHSA lookup | Agent finds affected packages + versions automatically |
| Dependencies | Heavy CLI tools, Python environments | 2 runtime dependencies, runs with npx |
Quick Start
Option 1: npx (no install)
npx cve-mcp
Option 2: Clone
git clone https://github.com/badchars/cve-mcp.git
cd cve-mcp
bun install
Environment variables (optional)
# Increases NVD rate limit from 5 to 50 requests per 30 seconds
export NVD_API_KEY=your-nvd-api-key
# Enables GitHub Advisory search (60 β 5000 requests/hour)
export GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Both are optional. The server works without them, just with lower rate limits.
Connect to your AI agent
Claude Code
# With npx
claude mcp add cve-mcp -- npx cve-mcp
# With local clone
claude mcp add cve-mcp -- bun run /path/to/cve-mcp/src/index.ts
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"cve-mcp": {
"command": "npx",
"args": ["cve-mcp"],
"env": {
"NVD_API_KEY": "optional-key",
"GITHUB_TOKEN": "optional-token"
}
}
}
}
Cursor / Windsurf / other MCP clients
Same JSON config format. Point the command to npx cve-mcp or your installation path.
Start querying
You: "What do you know about CVE-2024-3400?"
That's it. The agent handles the rest.
What The AI Can Do
Incident Response
You: "We got hit by CVE-2024-3400. Give me everything."
Agent: β cve_enrich {cveId: "CVE-2024-3400"}
β NVD: PAN-OS command injection, CVSS 10.0
β EPSS: 97.2% exploitation probability
β KEV: Added 2024-04-12, due 2024-05-01
β GHSA: No open source advisory (commercial product)
β exploit_search: 23 PoC repos on GitHub
β "Critical. Actively exploited in the wild.
PAN-OS GlobalProtect, versions < 10.2.9-h1.
Patch immediately. CISA deadline: May 1."
Vulnerability Prioritization
You: "Prioritize these CVEs from our scan: CVE-2021-44228, CVE-2024-3400,
CVE-2023-44487, CVE-2024-21762, CVE-2023-4966"
Agent: β cve_prioritize {cves: [...]}
β Ranks by CVSS Γ EPSS Γ KEV multiplier
β "#1: CVE-2024-3400 (risk: 19.44, CVSS 10.0, EPSS 97%, KEV)
#2: CVE-2021-44228 (risk: 19.40, CVSS 10.0, EPSS 97%, KEV)
#3: CVE-2023-4966 (risk: 19.10, CVSS 9.4, EPSS 97%, KEV)
All 5 are in CISA KEV β patch all immediately."
Dependency Audit
You: "Check if lodash 4.17.20 and django 3.2.0 have known vulnerabilities"
Agent: β osv_batch {queries: [
{package: "lodash", version: "4.17.20", ecosystem: "npm"},
{package: "django", version: "3.2.0", ecosystem: "PyPI"}
]}
β "lodash 4.17.20: 3 vulnerabilities (prototype pollution)
django 3.2.0: 12 vulnerabilities (SQL injection, XSS)
Upgrade lodash to 4.17.21+, django to 4.2+"
Threat Monitoring
You: "What are the most likely to be exploited CVEs right now?"
Agent: β cve_trending {limit: 10, minEpss: 0.9}
β "Top 10 by exploitation probability:
1. CVE-2024-3400 β PAN-OS (EPSS 97.2%, CVSS 10.0, KEV)
2. CVE-2023-44487 β HTTP/2 Rapid Reset (EPSS 96.5%, CVSS 7.5, KEV)
..."
CVSS Deep Dive
You: "Break down this CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
Agent: β cvss_parse {vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}
β "Score: 10.0 (CRITICAL)
Network attack vector, no privileges required, no user interaction.
Scope changed β can impact other components.
Full compromise: confidentiality, integrity, and availability."
Tools Reference (23 tools)
NVD (4)
| Tool | Description |
|---|---|
nvd_search | Search CVEs by keyword, severity, CWE, date range |
nvd_get | Get full CVE details (CVSS, CWE, CPE, references) |
nvd_recent | Recently published/modified CVEs |
cve_by_product | Search CVEs by product name (CPE keyword match) |
EPSS (2)
| Tool | Description |
|---|---|
epss_score | EPSS exploitation probability for one or more CVEs |
epss_top | Top CVEs by exploitation probability |
KEV (3)
| Tool | Description |
|---|---|
kev_check | Check if CVE(s) are in CISA Known Exploited Vulnerabilities catalog |
kev_search | Search KEV by vendor, product, or keyword |
kev_recent | Recently added KEV entries |
GHSA (2)
| Tool | Description |
|---|---|
ghsa_search | Search GitHub security advisories by keyword, ecosystem, severity |
ghsa_get | Get advisory details by GHSA ID or CVE ID |
OSV (3)
| Tool | Description |
|---|---|
osv_query | Query vulnerabilities for a specific package version |
osv_get | Get vulnerability details by OSV/GHSA/CVE ID |
osv_batch | Batch query multiple packages at once |
Exploit (1)
| Tool | Description |
|---|---|
exploit_search | Search for public PoC exploits (GitHub repositories) |
CWE (1)
| Tool | Description |
|---|---|
cwe_lookup | Look up CWE weakness by ID or search by keyword |
CVSS (1)
| Tool | Description |
|---|---|
cvss_parse | Parse and explain a CVSS v3.1 vector string with score calculation |
Meta (6)
| Tool | Description |
|---|---|
cve_enrich | Full enrichment: NVD + EPSS + KEV + GHSA + OSV in parallel |
cve_prioritize | Rank CVEs by risk (CVSS Γ EPSS Γ KEV multiplier) |
cve_trending | Currently trending CVEs by exploitation probability |
cve_compare | Side-by-side comparison of two CVEs |
cve_list_sources | List all data sources and their availability |
cve_report | Generate a markdown vulnerability report |
Data Sources
| Source | Auth | What it provides |
|---|---|---|
| NVD | Optional NVD_API_KEY | CVE details, CVSS scores, CWE mappings, CPE affected products, references |
| EPSS | None | Exploitation probability score (0-1) and percentile ranking |
| CISA KEV | None | Known exploited vulnerabilities with remediation deadlines |
| GitHub Advisory | Optional GITHUB_TOKEN | Open source security advisories, affected packages, severity |
| OSV | None | Package-level vulnerability data across 16+ ecosystems |
Risk Score Formula
Risk Score = CVSS Base Score Γ EPSS Score Γ KEV Multiplier
Where:
CVSS Base Score = 0-10 (severity from NVD)
EPSS Score = 0-1 (exploitation probability from FIRST)
KEV Multiplier = 2 if in CISA KEV, 1 otherwise
This gives a practical risk score that balances severity (CVSS) with real-world exploitation likelihood (EPSS) and known active exploitation (KEV).
Architecture
src/
βββ index.ts Entry point + MCP stdio
βββ types/
β βββ index.ts ToolDef, ToolContext, ToolResult, API types
βββ protocol/
β βββ tools.ts 23 tool definitions (Zod schemas)
β βββ mcp-server.ts MCP server + stdio transport
βββ nvd/
β βββ index.ts NVD API v2 β search, get, recent
β βββ cpe.ts Product/CPE search
βββ epss/
β βββ index.ts EPSS β score, top
βββ kev/
β βββ index.ts KEV β check, search, recent (cached)
βββ ghsa/
β βββ index.ts GitHub Advisory β search, get
βββ osv/
β βββ index.ts OSV β query, get, batch
βββ exploit/
β βββ index.ts PoC search via GitHub repos
βββ cwe/
β βββ index.ts CWE database (40+ entries embedded)
βββ cvss/
β βββ index.ts CVSS v3.1 parser + score calculator
βββ meta/
β βββ enrich.ts Full CVE enrichment (all sources)
β βββ prioritize.ts Risk-based CVE ranking
β βββ trending.ts Trending CVEs by EPSS
β βββ compare.ts Side-by-side CVE comparison
β βββ sources.ts Data source health check
βββ utils/
βββ rate-limiter.ts Queue-based rate limiter (NVD)
βββ cache.ts TTL cache (NVD results)
Design decisions:
- Intelligence, not audit β Unlike cloud-audit-mcp and github-security-mcp, this is a data tool. No CheckResult, no findings accumulation. Each query is independent and stateless.
- Parallel enrichment β
cve_enrichcalls all 5 sources viaPromise.allSettled. If one source is down, the rest still return data. - Shared rate limiter β All NVD modules share a single
RateLimiterinstance (6s between requests) to avoid 429 errors. - KEV caching β The full KEV catalog (~1200 entries, ~200KB) is loaded once and cached in memory with 1-hour TTL.
- NVD result caching β Individual CVE lookups are cached with 10-minute TTL to avoid redundant API calls during enrichment.
- Embedded CWE database β 40+ top CWEs from OWASP/MITRE embedded as static data. No external API needed.
- Full CVSS calculator β CVSS v3.1 base score calculation algorithm implemented locally. Parses any vector string and explains each metric.
- 2 dependencies β
@modelcontextprotocol/sdkandzod. Nothing else.
Limitations
- NVD API without
NVD_API_KEYis limited to 5 requests per 30 seconds. Set the key for production use - GitHub Advisory search without
GITHUB_TOKENis limited to 60 requests per hour - Exploit search uses GitHub repository search which has its own rate limits
- CVSS parser supports v3.1 only (v2 and v4 vectors are not parsed, though v2 scores are returned from NVD)
- CWE database is embedded (40+ entries) rather than comprehensive (1000+ in full MITRE database)
- macOS / Linux (Windows not tested)
Part of the MCP Security Suite
| Project | Domain | Tools |
|---|---|---|
| hackbrowser-mcp | Browser-based security testing | 39 tools, Firefox, injection testing |
| cloud-audit-mcp | Cloud security (AWS/Azure/GCP) | 38 tools, 60+ checks |
| github-security-mcp | GitHub security posture | 39 tools, 45 checks |
| cve-mcp | Vulnerability intelligence | 23 tools, 5 sources |
For authorized security testing and assessment only.
Always ensure you have proper authorization before testing systems.
MIT License β’ Built with Bun + TypeScript