CVE Intelligence Server

A Model Context Protocol (MCP) server that provides multi-source vulnerability intelligence for AI-powered security operations. Combines three free, authoritative data sources into a single unified interface — no API key required.

"Should I panic about this CVE?" — This server answers that question.

Why This Server?

Most CVE tools give you just a CVSS score. But security teams need to know:

• How severe is it? → CVSS score (from NVD)
• Is it being exploited RIGHT NOW? → CISA KEV catalog
• How LIKELY is exploitation? → EPSS probability score

This server combines all three into a single risk verdict.

┌─────────────────────────────────────────────────────────┐
│           mcp-server-cve-intel                           │
│                                                          │
│  ┌─────────────┐  ┌──────────────┐  ┌───────────────┐  │
│  │ NVD (NIST)  │  │ CISA KEV     │  │  EPSS         │  │
│  │ CVE details │  │ Known        │  │  Exploit      │  │
│  │ CVSS scores │  │ Exploited    │  │  Prediction   │  │
│  │ References  │  │ Vulns catalog│  │  Probability  │  │
│  └──────┬──────┘  └──────┬───────┘  └───────┬───────┘  │
│         └────────────────┼──────────────────┘           │
│                          ▼                               │
│              🎯 UNIFIED RISK VERDICT                     │
│   "CVE-2021-44228: CVSS 10.0, ACTIVELY EXPLOITED,      │
│    97.5% chance of exploitation → 🚨 PATCH NOW"         │
└─────────────────────────────────────────────────────────┘

Features

• 🔍 CVE Lookup — Full intelligence report from 3 sources for any CVE
• 🔎 CVE Search — Search vulnerabilities by keyword (product, vendor, type)
• 🚨 CISA KEV Feed — Latest actively exploited vulnerabilities
• 📊 EPSS Scores — Exploit probability predictions (next 30 days)
• 🎯 Risk Verdicts — Automated risk scoring combining all factors
• 🆓 No API Key Required — All data sources are free and public
• 🏠 Local + Remote — Supports both stdio and SSE transport

Quick Start

1. Install

git clone https://github.com/gopichand458/mcp-server-cve-intel.git
cd mcp-server-cve-intel
pip install -r requirements.txt

2. Run Local (for Claude Desktop)

python server.py

Add to your claude_desktop_config.json:

{
    "mcpServers": {
        "cve-intel": {
            "command": "python",
            "args": ["/FULL/PATH/TO/mcp-server-cve-intel/server.py"]
        }
    }
}

3. Run Remote (shareable SSE server)

python server.py --remote
# → Available at http://localhost:8000/sse

Optional: NVD API Key (for higher rate limits)

The server works without an API key, but NVD limits unauthenticated requests to 5 per 30 seconds. Get a free key for 50 requests/30 sec:

# Request key at: https://nvd.nist.gov/developers/request-an-api-key
export NVD_API_KEY="your-key-here"
python server.py

Tools

cve_lookup — Full CVE Intelligence Report

Get comprehensive intelligence for a specific CVE combining all 3 sources.

Input:  cve_lookup(cve_id="CVE-2021-44228")

Output: {
  "cve_id": "CVE-2021-44228",
  "description": "Apache Log4j2 <=2.14.1 JNDI features...",
  "cvss_score": 10.0,
  "severity": "CRITICAL",
  "epss": {
    "score_percent": "97.5%",
    "interpretation": "🔴 CRITICAL — Very high probability of exploitation"
  },
  "cisa_kev": {
    "in_kev_catalog": true,
    "actively_exploited": true,
    "known_ransomware_use": "Known"
  },
  "risk_verdict": {
    "overall": "🚨 CRITICAL — Immediate action required. Patch NOW.",
    "risk_score": "100/100",
    "risk_factors": [
      "🔴 CVSS Critical (9.0+)",
      "🔴 ACTIVELY EXPLOITED (in CISA KEV)",
      "🔴 USED IN RANSOMWARE CAMPAIGNS",
      "🔴 EPSS 97.5% — Very likely to be exploited"
    ]
  }
}

cve_search — Search by Keyword

Input:  cve_search(keyword="Microsoft Exchange", limit=5)
Output: List of matching CVEs with CVSS scores and severity

cve_recent_kev — Actively Exploited Vulnerabilities

Input:  cve_recent_kev(limit=10)
Output: Latest additions to CISA's Known Exploited Vulnerabilities catalog

cve_epss_score — Exploit Probability

Input:  cve_epss_score(cve_id="CVE-2024-3094")
Output: EPSS score with probability and percentile interpretation

Resources

URI	Description
cve-intel://about	Server info and data source details
cve-intel://severity-guide	CVSS/EPSS/KEV interpretation guide

Prompts

Prompt	Description
vulnerability_assessment	Guided CVE assessment workflow
threat_briefing	Current threat landscape briefing

Example Conversations

After connecting to Claude Desktop:

You: "Tell me about CVE-2024-3094"

Claude: calls cve_lookup → Provides full report with CVSS, EPSS, exploitation status, and risk verdict

You: "What's being actively exploited right now?"

Claude: calls cve_recent_kev → Lists latest CISA KEV additions with remediation guidance

You: "Find vulnerabilities in Apache Struts and tell me which to patch first"

Claude: calls cve_search + cve_epss_score → Searches, ranks by EPSS, recommends priority

Data Sources

Source	What It Provides	Rate Limit	Auth
NVD (NIST)	CVE details, CVSS scores, CWEs, references	5 req/30s (free), 50/30s (with key)	Optional
CISA KEV	Actively exploited CVEs, remediation deadlines	Unlimited	None
EPSS (FIRST.org)	Exploit probability (0-100%) for next 30 days	Unlimited	None

Compatibility

Client	Supported
Claude Desktop	✅ (stdio)
Claude Code	✅
Cursor	✅
VS Code + Copilot	✅
Any MCP client	✅

Project Structure

mcp-server-cve-intel/
├── server.py           # MCP server — tools, resources, prompts
├── cve_client.py       # Multi-source CVE intelligence client
├── requirements.txt    # Dependencies
├── LICENSE             # MIT License
├── .gitignore
└── README.md           # This file

Contributing

Contributions welcome! Some ideas:

• Add more data sources (OSV, GitHub Security Advisories)
• Add caching for CISA KEV (it's a large JSON file)
• Add a cve_compare tool for side-by-side comparison
• Docker support
• PyPI packaging

Author

GKonakala — github.com/gopichand458

License

MIT License — see LICENSE for details.

Disclaimer

Disclaimer

This product uses the NVD API but is not endorsed or certified by the NVD.

This tool aggregates publicly available vulnerability data for security research and operational purposes. It is not affiliated with NIST, CISA, or FIRST.org. Always verify critical findings through official sources.

---

Built with Model Context Protocol by Anthropic