Cve
БесплатноНе проверенUnifies NVD, EPSS, CISA KEV, GitHub Advisory, and OSV into a single MCP server, enabling AI agents to query vulnerability intelligence conversationally with 23
Описание
Unifies NVD, EPSS, CISA KEV, GitHub Advisory, and OSV into a single MCP server, enabling AI agents to query vulnerability intelligence conversationally with 23 tools for incident response, prioritization, dependency audits, and threat monitoring.
README
English | 简体中文 | 繁體中文 | 한국어 | Deutsch | Español | Français | Italiano | Dansk | 日本語 | Polski | Русский | Bosanski | العربية | Norsk | Português (Brasil) | ไทย | Türkçe | Українська | বাংলা | Ελληνικά | Tiếng Việt | हिन्दी
CVE & vulnerability intelligence for AI agents.
NVD, EPSS, CISA KEV, GitHub Advisory, OSV, Shodan, VulnCheck, Vulners, Nuclei, Metasploit, CIRCL, AttackerKB, and MITRE ATT&CK — unified into a single MCP server.
Your AI agent gets vulnerability intelligence on demand, not a 200-page report.
The Problem • How It's Different • Quick Start • What The AI Can Do • Tools • Data Sources • Architecture • Contributing • Changelog
The Problem
Vulnerability intelligence is scattered across multiple databases. NVD has CVE details. EPSS tells you exploitation probability. CISA KEV tracks actively exploited vulns. GitHub Advisory covers open source packages. OSV maps vulnerabilities to specific package versions. Shodan tracks internet exposure. Nuclei and Metasploit tell you if there's a working exploit. No single tool aggregates them, and none work with AI agents.
Traditional workflow:
search NVD for CVE details → navigate a clunky web UI
check EPSS for exploitation risk → separate API, separate format
look up CISA KEV status → download a JSON feed manually
search GitHub advisories → yet another interface
query OSV for package impact → different API, different schema
check Shodan for exposure → separate subscription
look for Nuclei/MSF exploits → manual GitHub search
map to ATT&CK techniques → separate MITRE lookup
correlate everything → copy-paste into a spreadsheet
──────────────────────────────────
Total: 30+ minutes per CVE, longer for bulk triage
cve-mcp gives your AI agent 41 tools via the Model Context Protocol. The agent queries 11 sources in parallel, correlates data, detects weaponization signals, calculates risk scores, and tells you exactly what matters.
With cve-mcp:
You: "Prioritize these 10 CVEs by actual exploitation risk"
Agent: → fetches CVSS scores from NVD
→ gets EPSS exploitation probability for each
→ checks CISA KEV for actively exploited
→ cross-references GitHub advisories for patches
→ "3 are critical: CVE-2024-3400 (EPSS 97%, in KEV),
CVE-2023-44487 (HTTP/2 rapid reset, EPSS 96%),
CVE-2021-44228 (Log4Shell, EPSS 97%, in KEV).
Here are patches and affected versions..."
How It's Different
Existing tools give you raw data. cve-mcp gives your AI agent the ability to reason about vulnerabilities.
| Traditional Tools | cve-mcp | |
|---|---|---|
| Interface | Web UI / CLI / raw API calls | MCP — AI agent calls tools conversationally |
| Data sources | One database at a time | 11 sources in parallel: NVD, EPSS, KEV, GHSA, OSV, Shodan, VulnCheck, Vulners, Nuclei, Metasploit, CIRCL |
| Risk scoring | CVSS only (severity, not exploitability) | CVSS × EPSS × KEV × Exploit multiplier (Nuclei/MSF) = actual risk |
| Correlation | Manual copy-paste | Agent enriches: "CVSS 9.8, EPSS 97%, KEV, Nuclei template exists, MSF module available, maps to T1190" |
| Bulk triage | One CVE at a time | Agent prioritizes 50 CVEs in a single conversation |
| Package impact | Separate OSV/GHSA lookup | Agent finds affected packages + versions automatically |
| Dependencies | Heavy CLI tools, Python environments | 2 runtime dependencies, runs with npx |
Quick Start
Option 1: npx (no install)
npx cve-mcp
Option 2: Clone
git clone https://github.com/badchars/cve-mcp.git
cd cve-mcp
bun install
Environment variables (all optional)
# Increases NVD rate limit from 5 to 50 requests per 30 seconds
export NVD_API_KEY=your-nvd-api-key
# Enables GitHub Advisory search (60 → 5000 requests/hour)
export GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# VulnCheck extended KEV, CPE, PURL search
export VULNCHECK_API_KEY=your-vulncheck-key
# Vulners vulnerability search across 200+ sources
export VULNERS_API_KEY=your-vulners-key
# AttackerKB community assessments
export ATTACKERKB_API_KEY=your-attackerkb-key
All are optional. The server works without them — some tools just have lower rate limits or reduced data.
Connect to your AI agent
Claude Code
# With npx
claude mcp add cve-mcp -- npx cve-mcp
# With local clone
claude mcp add cve-mcp -- bun run /path/to/cve-mcp/src/index.ts
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"cve-mcp": {
"command": "npx",
"args": ["cve-mcp"],
"env": {
"NVD_API_KEY": "optional-key",
"GITHUB_TOKEN": "optional-token",
"VULNCHECK_API_KEY": "optional-key",
"VULNERS_API_KEY": "optional-key",
"ATTACKERKB_API_KEY": "optional-key"
}
}
}
}
Cursor / Windsurf / other MCP clients
Same JSON config format. Point the command to npx cve-mcp or your installation path.
Start querying
You: "What do you know about CVE-2024-3400?"
That's it. The agent handles the rest.
What The AI Can Do
Incident Response
You: "We got hit by CVE-2024-3400. Give me everything."
Agent: → cve_enrich {cveId: "CVE-2024-3400"}
→ NVD: PAN-OS command injection, CVSS 10.0
→ EPSS: 97.2% exploitation probability
→ KEV: Added 2024-04-12, due 2024-05-01
→ Shodan: 4 CPEs, internet-exposed
→ Nuclei: Detection template exists (critical)
→ Metasploit: Exploit module available (excellent rank)
→ "Critical. Weaponized — both Nuclei and MSF modules exist.
PAN-OS GlobalProtect, versions < 10.2.9-h1.
Patch immediately. CISA deadline: May 1."
Vulnerability Prioritization
You: "Prioritize these CVEs from our scan: CVE-2021-44228, CVE-2024-3400,
CVE-2023-44487, CVE-2024-21762, CVE-2023-4966"
Agent: → cve_prioritize {cves: [...]}
→ Ranks by CVSS × EPSS × KEV multiplier
→ "#1: CVE-2024-3400 (risk: 19.44, CVSS 10.0, EPSS 97%, KEV)
#2: CVE-2021-44228 (risk: 19.40, CVSS 10.0, EPSS 97%, KEV)
#3: CVE-2023-4966 (risk: 19.10, CVSS 9.4, EPSS 97%, KEV)
All 5 are in CISA KEV — patch all immediately."
Dependency Audit
You: "Check if lodash 4.17.20 and django 3.2.0 have known vulnerabilities"
Agent: → osv_batch {queries: [
{package: "lodash", version: "4.17.20", ecosystem: "npm"},
{package: "django", version: "3.2.0", ecosystem: "PyPI"}
]}
→ "lodash 4.17.20: 3 vulnerabilities (prototype pollution)
django 3.2.0: 12 vulnerabilities (SQL injection, XSS)
Upgrade lodash to 4.17.21+, django to 4.2+"
Threat Monitoring
You: "What are the most likely to be exploited CVEs right now?"
Agent: → cve_trending {limit: 10, minEpss: 0.9}
→ "Top 10 by exploitation probability:
1. CVE-2024-3400 — PAN-OS (EPSS 97.2%, CVSS 10.0, KEV)
2. CVE-2023-44487 — HTTP/2 Rapid Reset (EPSS 96.5%, CVSS 7.5, KEV)
..."
CVSS Deep Dive (v3.1 & v4.0)
You: "Break down this CVSS v4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
Agent: → cvss_parse {vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}
→ "CVSS v4.0 — Score: 9.3 (CRITICAL)
Network attack, low complexity, no attack requirements.
No privileges, no user interaction.
Vulnerable system: full C/I/A impact.
Subsequent systems: no impact."
ATT&CK Mapping
You: "Map CVE-2024-3400 to MITRE ATT&CK techniques"
Agent: → cve_to_attack {cweIds: ["CWE-77"]}
→ "CWE-77 (Command Injection) maps to:
T1059 — Command and Scripting Interpreter (Execution)
T1190 — Exploit Public-Facing Application (Initial Access)"
Tools Reference (41 tools)
NVD (4)
| Tool | Description |
|---|---|
nvd_search |
Search CVEs by keyword, severity, CWE, date range |
nvd_get |
Get full CVE details (CVSS, CWE, CPE, references) |
nvd_recent |
Recently published/modified CVEs |
cve_by_product |
Search CVEs by product name (CPE keyword match) |
EPSS (2)
| Tool | Description |
|---|---|
epss_score |
EPSS exploitation probability for one or more CVEs |
epss_top |
Top CVEs by exploitation probability |
KEV (3)
| Tool | Description |
|---|---|
kev_check |
Check if CVE(s) are in CISA Known Exploited Vulnerabilities catalog |
kev_search |
Search KEV by vendor, product, or keyword |
kev_recent |
Recently added KEV entries |
GHSA (2)
| Tool | Description |
|---|---|
ghsa_search |
Search GitHub security advisories by keyword, ecosystem, severity |
ghsa_get |
Get advisory details by GHSA ID or CVE ID |
OSV (3)
| Tool | Description |
|---|---|
osv_query |
Query vulnerabilities for a specific package version |
osv_get |
Get vulnerability details by OSV/GHSA/CVE ID |
osv_batch |
Batch query multiple packages at once |
Exploit (1)
| Tool | Description |
|---|---|
exploit_search |
Search for public PoC exploits (GitHub repositories) |
Shodan (3)
| Tool | Description |
|---|---|
shodan_cve |
CVE lookup via Shodan CVEDB (EPSS, KEV, CPE integrated, zero-auth) |
shodan_product |
Find CVEs by product/vendor name via Shodan |
shodan_ip_vulns |
Get known vulnerabilities for an IP address (InternetDB) |
VulnCheck (3)
| Tool | Description |
|---|---|
vulncheck_kev |
Extended KEV catalog (~80% more entries than CISA) |
vulncheck_cpe |
CVE search by CPE string |
vulncheck_purl |
CVE search by Package URL (purl) |
Vulners (2)
| Tool | Description |
|---|---|
vulners_lookup |
CVE details from Vulners (200+ sources, exploit refs) |
vulners_search |
Full-text vulnerability search across Vulners database |
Nuclei & Metasploit (2)
| Tool | Description |
|---|---|
nuclei_check |
Check if a Nuclei detection template exists for a CVE |
msf_check |
Check if a Metasploit exploit module exists for a CVE |
CPE (2)
| Tool | Description |
|---|---|
cpe_search |
Search NVD CPE dictionary by keyword |
cpe_match |
Get CPE matches for a specific CVE |
CIRCL (1)
| Tool | Description |
|---|---|
circl_cve |
CIRCL CVE enrichment (CAPEC, alt references, impact vectors) |
AttackerKB (1)
| Tool | Description |
|---|---|
attackerkb_assess |
Community assessments from AttackerKB (attacker value, exploitability) |
ATT&CK (1)
| Tool | Description |
|---|---|
cve_to_attack |
Map CVE CWE IDs to MITRE ATT&CK techniques and tactics |
CWE (4)
| Tool | Description |
|---|---|
cwe_lookup |
Look up CWE weakness by ID or search by keyword (static DB) |
cwe_get |
Full CWE details from MITRE API (1000+ CWEs, mitigations, examples) |
cwe_hierarchy |
CWE parent/child hierarchy from MITRE API |
cwe_top25 |
MITRE CWE Top 25 Most Dangerous Software Weaknesses |
CVSS (1)
| Tool | Description |
|---|---|
cvss_parse |
Parse and explain CVSS v3.1 or v4.0 vector string with score calculation |
Meta (6)
| Tool | Description |
|---|---|
cve_enrich |
Full enrichment: NVD + EPSS + KEV + GHSA + OSV + Shodan + Nuclei + MSF in parallel |
cve_prioritize |
Rank CVEs by risk (CVSS × EPSS × KEV × Exploit multiplier) |
cve_trending |
Currently trending CVEs by exploitation probability |
cve_compare |
Side-by-side comparison of two CVEs |
cve_list_sources |
List all 11 data sources and their availability |
cve_report |
Generate a markdown vulnerability report |
Data Sources
| Source | Auth | What it provides |
|---|---|---|
| NVD | Optional NVD_API_KEY |
CVE details, CVSS scores, CWE mappings, CPE affected products, references |
| EPSS | None | Exploitation probability score (0-1) and percentile ranking |
| CISA KEV | None | Known exploited vulnerabilities with remediation deadlines |
| GitHub Advisory | Optional GITHUB_TOKEN |
Open source security advisories, affected packages, severity |
| OSV | None | Package-level vulnerability data across 16+ ecosystems |
| Shodan CVEDB | None | CVE lookup with integrated EPSS/KEV/CPE, IP vulnerability scan |
| VulnCheck | Optional VULNCHECK_API_KEY |
Extended KEV (~80% more entries), CPE/PURL vulnerability search |
| Vulners | Optional VULNERS_API_KEY |
Vulnerability search across 200+ sources, exploit references |
| Nuclei Templates | None | CVE detection template existence check (severity, tags) |
| Metasploit | None | Exploit module existence check (type, rank, path) |
| CIRCL | None | CVE enrichment with CAPEC mapping, alt references, impact vectors |
| AttackerKB | Optional ATTACKERKB_API_KEY |
Community assessments (attacker value, exploitability ratings) |
| MITRE ATT&CK | None | CWE-to-ATT&CK technique mapping (tactics, techniques) |
| MITRE CWE | None | Full CWE database (1000+ weaknesses, hierarchy, mitigations) |
Risk Score Formula
Risk Score = CVSS Base Score × EPSS Score × KEV Multiplier × Exploit Multiplier
Where:
CVSS Base Score = 0-10 (severity from NVD)
EPSS Score = 0-1 (exploitation probability from FIRST)
KEV Multiplier = 2 if in CISA KEV, 1 otherwise
Exploit Multiplier = 1.5 if Nuclei template OR Metasploit module exists, 1 otherwise
This gives a practical risk score that balances severity (CVSS) with real-world exploitation likelihood (EPSS), known active exploitation (KEV), and weaponization signals (public exploit tooling).
Architecture
src/
├── index.ts Entry point + MCP stdio
├── types/
│ └── index.ts ToolDef, ToolContext, ToolResult, API types
├── protocol/
│ ├── tools.ts 41 tool definitions (Zod schemas)
│ └── mcp-server.ts MCP server + stdio transport
├── nvd/
│ ├── index.ts NVD API v2 — search, get, recent
│ └── cpe.ts Product/CPE search
├── epss/
│ └── index.ts EPSS — score, top
├── kev/
│ └── index.ts KEV — check, search, recent (cached)
├── ghsa/
│ └── index.ts GitHub Advisory — search, get
├── osv/
│ └── index.ts OSV — query, get, batch
├── exploit/
│ └── index.ts PoC search via GitHub repos
├── shodan/
│ └── index.ts Shodan CVEDB + InternetDB (zero-auth)
├── vulncheck/
│ └── index.ts VulnCheck KEV, CPE, PURL
├── vulners/
│ └── index.ts Vulners search + lookup
├── nuclei/
│ └── index.ts Nuclei template existence check
├── metasploit/
│ └── index.ts MSF module check (cached metadata)
├── cpe/
│ └── index.ts NVD CPE dictionary API
├── circl/
│ └── index.ts CIRCL CVE enrichment
├── attackerkb/
│ └── index.ts AttackerKB assessments
├── attack/
│ └── index.ts CWE → MITRE ATT&CK mapping
├── cwe/
│ └── index.ts CWE API (MITRE) + static fallback
├── cvss/
│ └── index.ts CVSS v3.1 + v4.0 parser + calculator
├── meta/
│ ├── enrich.ts Full CVE enrichment (8 sources parallel)
│ ├── prioritize.ts Risk-based CVE ranking
│ ├── trending.ts Trending CVEs by EPSS
│ ├── compare.ts Side-by-side CVE comparison
│ └── sources.ts 11 source health checks
└── utils/
├── rate-limiter.ts Queue-based rate limiter
└── cache.ts TTL cache
Design decisions:
- Intelligence, not audit — Unlike cloud-audit-mcp and github-security-mcp, this is a data tool. No CheckResult, no findings accumulation. Each query is independent and stateless.
- Parallel enrichment —
cve_enrichcalls 8 sources viaPromise.allSettled. If one source is down, the rest still return data. - Weaponization detection — Checks Nuclei template and Metasploit module existence to flag CVEs with public exploit tooling.
- Shared rate limiter — All NVD modules share a single
RateLimiterinstance (6s between requests) to avoid 429 errors. - KEV + MSF caching — KEV catalog (~1200 entries) and MSF module metadata (~15MB) loaded once, cached with 1-hour TTL.
- CWE dual-mode — MITRE CWE REST API for full detail (1000+ CWEs), with 40+ entry static fallback when API is unreachable.
- CVSS v3.1 + v4.0 — Auto-detects version from vector prefix. V4.0 uses MacroVector scoring approach.
- ATT&CK mapping — Static CWE-to-technique table (33 CWE entries → ATT&CK techniques). No API calls.
- 2 dependencies —
@modelcontextprotocol/sdkandzod. Nothing else.
Limitations
- NVD API without
NVD_API_KEYis limited to 5 requests per 30 seconds. Set the key for production use - GitHub Advisory search without
GITHUB_TOKENis limited to 60 requests per hour - VulnCheck, Vulners, and AttackerKB require API keys for full functionality
- Exploit search uses GitHub repository search which has its own rate limits
- MSF module metadata (~15MB) is loaded on first use — initial
msf_checkcall is slower - CVSS v4.0 scoring uses MacroVector approximation (exact specification is very complex)
- ATT&CK mapping covers 33 CWE entries — uncommon CWEs may not map
- macOS / Linux (Windows not tested)
Part of the MCP Security Suite
| Project | Domain | Tools |
|---|---|---|
| hackbrowser-mcp | Browser-based security testing | 39 tools, Firefox, injection testing |
| cloud-audit-mcp | Cloud security (AWS/Azure/GCP) | 38 tools, 60+ checks |
| github-security-mcp | GitHub security posture | 39 tools, 45 checks |
| cve-mcp | Vulnerability intelligence | 41 tools, 11 sources |
For authorized security testing and assessment only.
Always ensure you have proper authorization before testing systems.
MIT License • Built with Bun + TypeScript
Установка Cve
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/badchars/cve-mcpFAQ
Cve MCP бесплатный?
Да, Cve MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Cve?
Нет, Cve работает без API-ключей и переменных окружения.
Cve — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Cve в Claude Desktop, Claude Code или Cursor?
Открой Cve на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Cve with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
