Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Cve

БесплатноНе проверен

Unifies NVD, EPSS, CISA KEV, GitHub Advisory, and OSV into a single MCP server, enabling AI agents to query vulnerability intelligence conversationally with 23

GitHubEmbed

Описание

Unifies NVD, EPSS, CISA KEV, GitHub Advisory, and OSV into a single MCP server, enabling AI agents to query vulnerability intelligence conversationally with 23 tools for incident response, prioritization, dependency audits, and threat monitoring.

README

English | 简体中文 | 繁體中文 | 한국어 | Deutsch | Español | Français | Italiano | Dansk | 日本語 | Polski | Русский | Bosanski | العربية | Norsk | Português (Brasil) | ไทย | Türkçe | Українська | বাংলা | Ελληνικά | Tiếng Việt | हिन्दी


cve-mcp

CVE & vulnerability intelligence for AI agents.

NVD, EPSS, CISA KEV, GitHub Advisory, OSV, Shodan, VulnCheck, Vulners, Nuclei, Metasploit, CIRCL, AttackerKB, and MITRE ATT&CK — unified into a single MCP server.
Your AI agent gets vulnerability intelligence on demand, not a 200-page report.


The ProblemHow It's DifferentQuick StartWhat The AI Can DoToolsData SourcesArchitectureContributingChangelog

npm License Bun MCP 41 Tools 11 Sources


The Problem

Vulnerability intelligence is scattered across multiple databases. NVD has CVE details. EPSS tells you exploitation probability. CISA KEV tracks actively exploited vulns. GitHub Advisory covers open source packages. OSV maps vulnerabilities to specific package versions. Shodan tracks internet exposure. Nuclei and Metasploit tell you if there's a working exploit. No single tool aggregates them, and none work with AI agents.

Traditional workflow:
  search NVD for CVE details          →  navigate a clunky web UI
  check EPSS for exploitation risk    →  separate API, separate format
  look up CISA KEV status             →  download a JSON feed manually
  search GitHub advisories            →  yet another interface
  query OSV for package impact        →  different API, different schema
  check Shodan for exposure           →  separate subscription
  look for Nuclei/MSF exploits        →  manual GitHub search
  map to ATT&CK techniques            →  separate MITRE lookup
  correlate everything                →  copy-paste into a spreadsheet
  ──────────────────────────────────
  Total: 30+ minutes per CVE, longer for bulk triage

cve-mcp gives your AI agent 41 tools via the Model Context Protocol. The agent queries 11 sources in parallel, correlates data, detects weaponization signals, calculates risk scores, and tells you exactly what matters.

With cve-mcp:
  You: "Prioritize these 10 CVEs by actual exploitation risk"

  Agent: → fetches CVSS scores from NVD
         → gets EPSS exploitation probability for each
         → checks CISA KEV for actively exploited
         → cross-references GitHub advisories for patches
         → "3 are critical: CVE-2024-3400 (EPSS 97%, in KEV),
            CVE-2023-44487 (HTTP/2 rapid reset, EPSS 96%),
            CVE-2021-44228 (Log4Shell, EPSS 97%, in KEV).
            Here are patches and affected versions..."

How It's Different

Existing tools give you raw data. cve-mcp gives your AI agent the ability to reason about vulnerabilities.

Traditional Tools cve-mcp
Interface Web UI / CLI / raw API calls MCP — AI agent calls tools conversationally
Data sources One database at a time 11 sources in parallel: NVD, EPSS, KEV, GHSA, OSV, Shodan, VulnCheck, Vulners, Nuclei, Metasploit, CIRCL
Risk scoring CVSS only (severity, not exploitability) CVSS × EPSS × KEV × Exploit multiplier (Nuclei/MSF) = actual risk
Correlation Manual copy-paste Agent enriches: "CVSS 9.8, EPSS 97%, KEV, Nuclei template exists, MSF module available, maps to T1190"
Bulk triage One CVE at a time Agent prioritizes 50 CVEs in a single conversation
Package impact Separate OSV/GHSA lookup Agent finds affected packages + versions automatically
Dependencies Heavy CLI tools, Python environments 2 runtime dependencies, runs with npx

Quick Start

Option 1: npx (no install)

npx cve-mcp

Option 2: Clone

git clone https://github.com/badchars/cve-mcp.git
cd cve-mcp
bun install

Environment variables (all optional)

# Increases NVD rate limit from 5 to 50 requests per 30 seconds
export NVD_API_KEY=your-nvd-api-key

# Enables GitHub Advisory search (60 → 5000 requests/hour)
export GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# VulnCheck extended KEV, CPE, PURL search
export VULNCHECK_API_KEY=your-vulncheck-key

# Vulners vulnerability search across 200+ sources
export VULNERS_API_KEY=your-vulners-key

# AttackerKB community assessments
export ATTACKERKB_API_KEY=your-attackerkb-key

All are optional. The server works without them — some tools just have lower rate limits or reduced data.

Connect to your AI agent

Claude Code
# With npx
claude mcp add cve-mcp -- npx cve-mcp

# With local clone
claude mcp add cve-mcp -- bun run /path/to/cve-mcp/src/index.ts
Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "cve-mcp": {
      "command": "npx",
      "args": ["cve-mcp"],
      "env": {
        "NVD_API_KEY": "optional-key",
        "GITHUB_TOKEN": "optional-token",
        "VULNCHECK_API_KEY": "optional-key",
        "VULNERS_API_KEY": "optional-key",
        "ATTACKERKB_API_KEY": "optional-key"
      }
    }
  }
}
Cursor / Windsurf / other MCP clients

Same JSON config format. Point the command to npx cve-mcp or your installation path.

Start querying

You: "What do you know about CVE-2024-3400?"

That's it. The agent handles the rest.


What The AI Can Do

Incident Response

You: "We got hit by CVE-2024-3400. Give me everything."

Agent: → cve_enrich {cveId: "CVE-2024-3400"}
       → NVD: PAN-OS command injection, CVSS 10.0
       → EPSS: 97.2% exploitation probability
       → KEV: Added 2024-04-12, due 2024-05-01
       → Shodan: 4 CPEs, internet-exposed
       → Nuclei: Detection template exists (critical)
       → Metasploit: Exploit module available (excellent rank)
       → "Critical. Weaponized — both Nuclei and MSF modules exist.
          PAN-OS GlobalProtect, versions < 10.2.9-h1.
          Patch immediately. CISA deadline: May 1."

Vulnerability Prioritization

You: "Prioritize these CVEs from our scan: CVE-2021-44228, CVE-2024-3400,
      CVE-2023-44487, CVE-2024-21762, CVE-2023-4966"

Agent: → cve_prioritize {cves: [...]}
       → Ranks by CVSS × EPSS × KEV multiplier
       → "#1: CVE-2024-3400 (risk: 19.44, CVSS 10.0, EPSS 97%, KEV)
          #2: CVE-2021-44228 (risk: 19.40, CVSS 10.0, EPSS 97%, KEV)
          #3: CVE-2023-4966 (risk: 19.10, CVSS 9.4, EPSS 97%, KEV)
          All 5 are in CISA KEV — patch all immediately."

Dependency Audit

You: "Check if lodash 4.17.20 and django 3.2.0 have known vulnerabilities"

Agent: → osv_batch {queries: [
          {package: "lodash", version: "4.17.20", ecosystem: "npm"},
          {package: "django", version: "3.2.0", ecosystem: "PyPI"}
       ]}
       → "lodash 4.17.20: 3 vulnerabilities (prototype pollution)
          django 3.2.0: 12 vulnerabilities (SQL injection, XSS)
          Upgrade lodash to 4.17.21+, django to 4.2+"

Threat Monitoring

You: "What are the most likely to be exploited CVEs right now?"

Agent: → cve_trending {limit: 10, minEpss: 0.9}
       → "Top 10 by exploitation probability:
          1. CVE-2024-3400 — PAN-OS (EPSS 97.2%, CVSS 10.0, KEV)
          2. CVE-2023-44487 — HTTP/2 Rapid Reset (EPSS 96.5%, CVSS 7.5, KEV)
          ..."

CVSS Deep Dive (v3.1 & v4.0)

You: "Break down this CVSS v4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"

Agent: → cvss_parse {vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}
       → "CVSS v4.0 — Score: 9.3 (CRITICAL)
          Network attack, low complexity, no attack requirements.
          No privileges, no user interaction.
          Vulnerable system: full C/I/A impact.
          Subsequent systems: no impact."

ATT&CK Mapping

You: "Map CVE-2024-3400 to MITRE ATT&CK techniques"

Agent: → cve_to_attack {cweIds: ["CWE-77"]}
       → "CWE-77 (Command Injection) maps to:
          T1059 — Command and Scripting Interpreter (Execution)
          T1190 — Exploit Public-Facing Application (Initial Access)"

Tools Reference (41 tools)

NVD (4)
Tool Description
nvd_search Search CVEs by keyword, severity, CWE, date range
nvd_get Get full CVE details (CVSS, CWE, CPE, references)
nvd_recent Recently published/modified CVEs
cve_by_product Search CVEs by product name (CPE keyword match)
EPSS (2)
Tool Description
epss_score EPSS exploitation probability for one or more CVEs
epss_top Top CVEs by exploitation probability
KEV (3)
Tool Description
kev_check Check if CVE(s) are in CISA Known Exploited Vulnerabilities catalog
kev_search Search KEV by vendor, product, or keyword
kev_recent Recently added KEV entries
GHSA (2)
Tool Description
ghsa_search Search GitHub security advisories by keyword, ecosystem, severity
ghsa_get Get advisory details by GHSA ID or CVE ID
OSV (3)
Tool Description
osv_query Query vulnerabilities for a specific package version
osv_get Get vulnerability details by OSV/GHSA/CVE ID
osv_batch Batch query multiple packages at once
Exploit (1)
Tool Description
exploit_search Search for public PoC exploits (GitHub repositories)
Shodan (3)
Tool Description
shodan_cve CVE lookup via Shodan CVEDB (EPSS, KEV, CPE integrated, zero-auth)
shodan_product Find CVEs by product/vendor name via Shodan
shodan_ip_vulns Get known vulnerabilities for an IP address (InternetDB)
VulnCheck (3)
Tool Description
vulncheck_kev Extended KEV catalog (~80% more entries than CISA)
vulncheck_cpe CVE search by CPE string
vulncheck_purl CVE search by Package URL (purl)
Vulners (2)
Tool Description
vulners_lookup CVE details from Vulners (200+ sources, exploit refs)
vulners_search Full-text vulnerability search across Vulners database
Nuclei & Metasploit (2)
Tool Description
nuclei_check Check if a Nuclei detection template exists for a CVE
msf_check Check if a Metasploit exploit module exists for a CVE
CPE (2)
Tool Description
cpe_search Search NVD CPE dictionary by keyword
cpe_match Get CPE matches for a specific CVE
CIRCL (1)
Tool Description
circl_cve CIRCL CVE enrichment (CAPEC, alt references, impact vectors)
AttackerKB (1)
Tool Description
attackerkb_assess Community assessments from AttackerKB (attacker value, exploitability)
ATT&CK (1)
Tool Description
cve_to_attack Map CVE CWE IDs to MITRE ATT&CK techniques and tactics
CWE (4)
Tool Description
cwe_lookup Look up CWE weakness by ID or search by keyword (static DB)
cwe_get Full CWE details from MITRE API (1000+ CWEs, mitigations, examples)
cwe_hierarchy CWE parent/child hierarchy from MITRE API
cwe_top25 MITRE CWE Top 25 Most Dangerous Software Weaknesses
CVSS (1)
Tool Description
cvss_parse Parse and explain CVSS v3.1 or v4.0 vector string with score calculation
Meta (6)
Tool Description
cve_enrich Full enrichment: NVD + EPSS + KEV + GHSA + OSV + Shodan + Nuclei + MSF in parallel
cve_prioritize Rank CVEs by risk (CVSS × EPSS × KEV × Exploit multiplier)
cve_trending Currently trending CVEs by exploitation probability
cve_compare Side-by-side comparison of two CVEs
cve_list_sources List all 11 data sources and their availability
cve_report Generate a markdown vulnerability report

Data Sources

Source Auth What it provides
NVD Optional NVD_API_KEY CVE details, CVSS scores, CWE mappings, CPE affected products, references
EPSS None Exploitation probability score (0-1) and percentile ranking
CISA KEV None Known exploited vulnerabilities with remediation deadlines
GitHub Advisory Optional GITHUB_TOKEN Open source security advisories, affected packages, severity
OSV None Package-level vulnerability data across 16+ ecosystems
Shodan CVEDB None CVE lookup with integrated EPSS/KEV/CPE, IP vulnerability scan
VulnCheck Optional VULNCHECK_API_KEY Extended KEV (~80% more entries), CPE/PURL vulnerability search
Vulners Optional VULNERS_API_KEY Vulnerability search across 200+ sources, exploit references
Nuclei Templates None CVE detection template existence check (severity, tags)
Metasploit None Exploit module existence check (type, rank, path)
CIRCL None CVE enrichment with CAPEC mapping, alt references, impact vectors
AttackerKB Optional ATTACKERKB_API_KEY Community assessments (attacker value, exploitability ratings)
MITRE ATT&CK None CWE-to-ATT&CK technique mapping (tactics, techniques)
MITRE CWE None Full CWE database (1000+ weaknesses, hierarchy, mitigations)

Risk Score Formula

Risk Score = CVSS Base Score × EPSS Score × KEV Multiplier × Exploit Multiplier

Where:
  CVSS Base Score     = 0-10 (severity from NVD)
  EPSS Score          = 0-1 (exploitation probability from FIRST)
  KEV Multiplier      = 2 if in CISA KEV, 1 otherwise
  Exploit Multiplier  = 1.5 if Nuclei template OR Metasploit module exists, 1 otherwise

This gives a practical risk score that balances severity (CVSS) with real-world exploitation likelihood (EPSS), known active exploitation (KEV), and weaponization signals (public exploit tooling).


Architecture

src/
├── index.ts                    Entry point + MCP stdio
├── types/
│   └── index.ts                ToolDef, ToolContext, ToolResult, API types
├── protocol/
│   ├── tools.ts                41 tool definitions (Zod schemas)
│   └── mcp-server.ts           MCP server + stdio transport
├── nvd/
│   ├── index.ts                NVD API v2 — search, get, recent
│   └── cpe.ts                  Product/CPE search
├── epss/
│   └── index.ts                EPSS — score, top
├── kev/
│   └── index.ts                KEV — check, search, recent (cached)
├── ghsa/
│   └── index.ts                GitHub Advisory — search, get
├── osv/
│   └── index.ts                OSV — query, get, batch
├── exploit/
│   └── index.ts                PoC search via GitHub repos
├── shodan/
│   └── index.ts                Shodan CVEDB + InternetDB (zero-auth)
├── vulncheck/
│   └── index.ts                VulnCheck KEV, CPE, PURL
├── vulners/
│   └── index.ts                Vulners search + lookup
├── nuclei/
│   └── index.ts                Nuclei template existence check
├── metasploit/
│   └── index.ts                MSF module check (cached metadata)
├── cpe/
│   └── index.ts                NVD CPE dictionary API
├── circl/
│   └── index.ts                CIRCL CVE enrichment
├── attackerkb/
│   └── index.ts                AttackerKB assessments
├── attack/
│   └── index.ts                CWE → MITRE ATT&CK mapping
├── cwe/
│   └── index.ts                CWE API (MITRE) + static fallback
├── cvss/
│   └── index.ts                CVSS v3.1 + v4.0 parser + calculator
├── meta/
│   ├── enrich.ts               Full CVE enrichment (8 sources parallel)
│   ├── prioritize.ts           Risk-based CVE ranking
│   ├── trending.ts             Trending CVEs by EPSS
│   ├── compare.ts              Side-by-side CVE comparison
│   └── sources.ts              11 source health checks
└── utils/
    ├── rate-limiter.ts          Queue-based rate limiter
    └── cache.ts                 TTL cache

Design decisions:

  • Intelligence, not audit — Unlike cloud-audit-mcp and github-security-mcp, this is a data tool. No CheckResult, no findings accumulation. Each query is independent and stateless.
  • Parallel enrichmentcve_enrich calls 8 sources via Promise.allSettled. If one source is down, the rest still return data.
  • Weaponization detection — Checks Nuclei template and Metasploit module existence to flag CVEs with public exploit tooling.
  • Shared rate limiter — All NVD modules share a single RateLimiter instance (6s between requests) to avoid 429 errors.
  • KEV + MSF caching — KEV catalog (~1200 entries) and MSF module metadata (~15MB) loaded once, cached with 1-hour TTL.
  • CWE dual-mode — MITRE CWE REST API for full detail (1000+ CWEs), with 40+ entry static fallback when API is unreachable.
  • CVSS v3.1 + v4.0 — Auto-detects version from vector prefix. V4.0 uses MacroVector scoring approach.
  • ATT&CK mapping — Static CWE-to-technique table (33 CWE entries → ATT&CK techniques). No API calls.
  • 2 dependencies@modelcontextprotocol/sdk and zod. Nothing else.

Limitations

  • NVD API without NVD_API_KEY is limited to 5 requests per 30 seconds. Set the key for production use
  • GitHub Advisory search without GITHUB_TOKEN is limited to 60 requests per hour
  • VulnCheck, Vulners, and AttackerKB require API keys for full functionality
  • Exploit search uses GitHub repository search which has its own rate limits
  • MSF module metadata (~15MB) is loaded on first use — initial msf_check call is slower
  • CVSS v4.0 scoring uses MacroVector approximation (exact specification is very complex)
  • ATT&CK mapping covers 33 CWE entries — uncommon CWEs may not map
  • macOS / Linux (Windows not tested)

Part of the MCP Security Suite

Project Domain Tools
hackbrowser-mcp Browser-based security testing 39 tools, Firefox, injection testing
cloud-audit-mcp Cloud security (AWS/Azure/GCP) 38 tools, 60+ checks
github-security-mcp GitHub security posture 39 tools, 45 checks
cve-mcp Vulnerability intelligence 41 tools, 11 sources

For authorized security testing and assessment only.
Always ensure you have proper authorization before testing systems.

MIT License • Built with Bun + TypeScript

from github.com/badchars/cve-mcp

Установка Cve

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/badchars/cve-mcp

FAQ

Cve MCP бесплатный?

Да, Cve MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Cve?

Нет, Cve работает без API-ключей и переменных окружения.

Cve — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Cve в Claude Desktop, Claude Code или Cursor?

Открой Cve на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Cve with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development