CVE MCP Server
Security intelligence MCP server that lets Claude look up CVEs, EPSS scores, CISA KEV status, OSV package vulnerabilities, exploit indicators, MITRE mappings, IP reputation, passive DNS, Shodan host data, malware intelligence, URL safety, and risk reports across optional third-party APIs.
Open the source and read safety notes before installing.
Safety notes
- CVE, CVSS, EPSS, KEV, exploit, PoC, MITRE, package-advisory, malware, and IP-reputation data can be stale, incomplete, provider-specific, or false positive.
- Treat generated risk scores and vulnerability reports as triage aids, not patch policy, incident-response authority, or compliance evidence by themselves.
- Some tools can submit or query URLs, IP addresses, domains, file hashes, package names, repository search terms, and exploit indicators against third-party services.
- Shodan, URLScan, VirusTotal, AbuseIPDB, GreyNoise, CIRCL, GitHub, VulnCheck, NVD, OSV, and other providers may apply rate limits, visibility rules, account terms, and retention policies.
- Review provider defaults before scanning URLs or infrastructure because some services can expose submitted targets or scan metadata publicly.
- The project documentation says the server uses outbound HTTPS only and blocks private/internal IP lookups, but users should still avoid unauthorized reconnaissance or sensitive internal target submission.
Privacy notes
- Security queries can reveal vulnerable products, internal triage priorities, asset names, IP addresses, domains, URLs, file hashes, package versions, malware interests, and investigation targets to upstream APIs.
- API keys are loaded from environment variables; keep them scoped, rotated, and out of model transcripts, shell history, and shared configuration files.
- The implementation initializes a local SQLite cache and rotating audit log, which can retain query parameters, statuses, timings, source results, and security-investigation context.
- Audit logging redacts fields whose names include key or token, but other query values can still be sensitive and should be protected as security data.
- The repository license file is Apache-2.0 while the README badge and pyproject classifier currently mention MIT, so verify current licensing before redistribution or commercial reuse.
Prerequisites
- Python 3.10 or newer for the source project, or a Python version supported by the currently published package.
- pip, uv, or another supported Python package installer.
- Network access to the selected vulnerability, threat-intelligence, and package-advisory APIs.
- Optional API keys for NVD, GitHub, VulnCheck, AbuseIPDB, VirusTotal, URLScan, Shodan, GreyNoise, or CIRCL Passive DNS when those integrations are needed.
- Authorization to query the CVEs, packages, domains, IP addresses, URLs, hashes, repositories, and security-investigation targets being analyzed.
Schema details
- Install type
- cli
- Troubleshooting
- No
- Scope
- Source repo
- Estimated setup
- 15 minutes
- Difficulty
- intermediate
Full copyable content
{
"mcpServers": {
"cve-mcp": {
"command": "cve-mcp",
"env": {
"NVD_API_KEY": "",
"GITHUB_TOKEN": ""
}
}
}
}About this resource
Content
CVE MCP Server is a Python Model Context Protocol server for security intelligence and vulnerability triage. It exposes Claude to tools for CVE lookup, NVD search, OSV dependency checks, EPSS scoring, CISA KEV checks, CVSS parsing, vendor-advisory retrieval, exploit and PoC availability checks, MITRE attack mapping, timeline generation, dependency scans, repository secret search, IP reputation, passive DNS, Shodan host lookup, malware-family lookup, URL safety checks, ransomware intelligence, risk scoring, and vulnerability reports.
The server runs over stdio with cve-mcp, uses outbound HTTPS for upstream data
sources, and supports optional API keys for higher-rate or provider-specific
integrations. Its implementation initializes a SQLite cache and rotating audit
log, validates selected inputs, and redacts audit fields whose names include
key or token.
Source Review
- https://github.com/mukul975/cve-mcp-server
- https://github.com/mukul975/cve-mcp-server/blob/main/README.md
- https://pypi.org/pypi/cve-mcp-server/json
- https://github.com/mukul975/cve-mcp-server/blob/main/pyproject.toml
- https://github.com/mukul975/cve-mcp-server/blob/main/src/cve_mcp/server.py
- https://github.com/mukul975/cve-mcp-server/blob/main/src/cve_mcp/config.py
- https://github.com/mukul975/cve-mcp-server/blob/main/src/cve_mcp/audit.py
- https://github.com/mukul975/cve-mcp-server/blob/main/.env.example
- https://github.com/mukul975/cve-mcp-server/blob/main/SECURITY.md
- https://github.com/mukul975/cve-mcp-server/blob/main/LICENSE
These sources were reviewed on 2026-06-06. Prefer the live repository, README, PyPI metadata, package metadata, implementation files, environment template, security policy, and license file for current install commands, tool behavior, optional credentials, audit/cache behavior, provider requirements, and licensing.
Features
- Python package and stdio MCP server launched with
cve-mcp. - CVE lookup and search through NVD, with optional API key support for higher request limits.
- EPSS scoring, CISA KEV status checks, CVSS vector parsing, and vendor-advisory lookup workflows.
- OSV package vulnerability checks, dependency-list scans, container package scans, and GitHub advisory or repository search workflows.
- Exploit and PoC availability checks, MITRE attack mapping, CVE timeline generation, risk scoring, CVE comparison, and vulnerability report generation.
- Threat-intelligence workflows for IP reputation, passive DNS, Shodan host data, file-hash intelligence, malware-family lookup, ransomware indicators, and URL safety.
- Optional provider credentials for NVD, GitHub, VulnCheck, AbuseIPDB, VirusTotal, URLScan, Shodan, GreyNoise, and CIRCL Passive DNS.
- SQLite cache and rotating audit log paths configurable through environment variables.
Installation
Install the package, then configure your MCP client:
pip install cve-mcp-server
{
"mcpServers": {
"cve-mcp": {
"command": "cve-mcp",
"env": {
"NVD_API_KEY": "",
"GITHUB_TOKEN": "",
"ABUSEIPDB_KEY": "",
"VIRUSTOTAL_KEY": "",
"URLSCAN_KEY": "",
"SHODAN_KEY": "",
"GREYNOISE_API_KEY": ""
}
}
}
}
Restart the MCP client, then ask Claude to analyze an approved CVE, package, domain, IP address, file hash, or URL. Add only the provider keys needed for the specific tools you plan to use.
Use Cases
- Triage a CVE by combining NVD details, EPSS probability, CISA KEV status, exploit availability, and vendor advisory context.
- Prioritize a backlog of vulnerabilities with transparent source evidence before patch-window planning.
- Check whether a package and version appears in OSV or GitHub advisory data.
- Enrich an approved incident-response indicator with IP reputation, passive DNS, malware, ransomware, URL, or file-hash intelligence.
- Compare multiple CVEs and draft an evidence-backed vulnerability report for human review.
- Map vulnerability findings to MITRE attack context for security notes or remediation discussions.
Safety and Privacy
Use CVE MCP Server as an intelligence retrieval and prioritization aid, not as a replacement for vendor advisories, asset ownership checks, change-management approval, or incident-response judgment. Security datasets differ by provider, can change quickly, and can contain false positives or stale records.
Queries to third-party services can expose sensitive security context, including assets, vulnerable packages, domains, IP addresses, file hashes, URLs, and investigation focus. Review each provider's terms, visibility defaults, and retention behavior before submitting sensitive targets. Protect the local cache, rotating audit log, environment variables, MCP client configuration, and model conversation history as security data.
The source repository's security notes say the server makes outbound HTTPS requests only, does not open inbound ports, does not log API keys, and blocks private/internal IP lookups. Those controls reduce risk, but they do not replace authorization checks or provider-specific privacy review.
Duplicate Check
Existing MCP content includes security-adjacent entries such as ContrastAPI,
Socket, and HexStrike AI. CVE MCP Server is distinct because it covers
mukul975/cve-mcp-server, a Python stdio MCP server focused on CVE and
threat-intelligence lookup with optional provider keys, local SQLite cache,
rotating audit logs, and tools spanning CVE, EPSS, KEV, OSV, exploit signals,
MITRE mappings, IP/domain/hash/URL intelligence, risk scoring, and report
generation. No matching CVE MCP Server source URL or dedicated entry was found
in content/mcp.
Source citations
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.