@cyanheads/nist-nvd-mcp-server

v0.1.7 pre-1.0

Search and audit CVEs by keyword, severity, CWE, CISA KEV status, and CPE via the NIST National Vulnerability Database. STDIO or Streamable HTTP.

public 5 tools 1 resources protocol 2025-11-25 github cyanheads/nist-nvd-mcp-server
@cyanheads/nist-nvd-mcp-server 
claude mcp add --transport http nist-nvd-mcp-server https://nist-nvd.caseyjhand.com/mcp
codex mcp add nist-nvd-mcp-server --url https://nist-nvd.caseyjhand.com/mcp
{
  "mcpServers": {
    "nist-nvd-mcp-server": {
      "url": "https://nist-nvd.caseyjhand.com/mcp"
    }
  }
}
gemini mcp add --transport http nist-nvd-mcp-server https://nist-nvd.caseyjhand.com/mcp
{
  "mcpServers": {
    "nist-nvd-mcp-server": {
      "command": "bunx",
      "args": [
        "@cyanheads/nist-nvd-mcp-server@latest"
      ]
    }
  }
}
{
  "mcpServers": {
    "nist-nvd-mcp-server": {
      "type": "http",
      "url": "https://nist-nvd.caseyjhand.com/mcp"
    }
  }
}
curl -X POST https://nist-nvd.caseyjhand.com/mcp \
  -H "Content-Type: application/json" \
  -H "MCP-Protocol-Version: 2025-11-25" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-11-25","capabilities":{},"clientInfo":{"name":"curl","version":"1.0.0"}}}'
Built on@cyanheads/mcp-ts-core v0.9.13

Tools

5

nvd_get_cve

Fetch one or more CVEs by ID from the NIST National Vulnerability Database. Returns CVSS scores across all available versions (v2.0, v3.0, v3.1, v4.0), CWE weakness classifications, affected CPE configurations, CISA KEV fields, and references. Up to 100 CVE IDs per call. For bulk lookups of more than 10 IDs, use brief: true — full records for 100 CVEs can exceed 1MB and exhaust context budgets.

read
invocation 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "nvd_get_cve",
    "arguments": {
      "cveIds": "<cveIds>"
    }
  }
}
schema 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "cveIds": {
      "anyOf": [
        {
          "type": "string",
          "description": "A single CVE ID (e.g., \"CVE-2021-44228\")."
        },
        {
          "minItems": 1,
          "maxItems": 100,
          "type": "array",
          "items": {
            "type": "string"
          },
          "description": "An array of CVE IDs — at least 1, up to 100 per call."
        }
      ],
      "description": "One CVE ID or an array of up to 100 CVE IDs to fetch."
    },
    "brief": {
      "default": false,
      "description": "When true, returns trimmed records (ID, status, top CVSS score, KEV name, published date) instead of full detail. Recommended for batches of more than 10 IDs.",
      "type": "boolean"
    },
    "includeReferences": {
      "default": true,
      "description": "When false, omits the references array to reduce response size.",
      "type": "boolean"
    }
  },
  "required": [
    "cveIds",
    "brief",
    "includeReferences"
  ],
  "additionalProperties": false
}
view source ↗

nvd_search_cves

Search CVEs by keyword, severity, CWE, date range, or CISA KEV status. The primary discovery tool for vulnerability surveillance and triage workflows. pubDays and lastModDays are convenience shorthands that expand to date pairs; values over 120 days are clamped to the NVD maximum and reported in queryMeta. Returns brief summaries — call nvd_get_cve for full detail on specific IDs. At least one filter is recommended; omitting all filters returns CVEs in default NVD index order (oldest first by CVE ID).

read
invocation 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "nvd_search_cves",
    "arguments": {}
  }
}
schema 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "keyword": {
      "description": "Full-text search across CVE descriptions (AND-semantics across words).",
      "type": "string"
    },
    "severity": {
      "description": "Filter to CVEs at this CVSS severity level or above.",
      "type": "string",
      "enum": [
        "LOW",
        "MEDIUM",
        "HIGH",
        "CRITICAL"
      ]
    },
    "severityVersion": {
      "default": "v3",
      "description": "CVSS version to use for the severity filter. Default: v3 (maps to cvssV3Severity).",
      "type": "string",
      "enum": [
        "v2",
        "v3",
        "v4"
      ]
    },
    "cweId": {
      "description": "Filter by CWE weakness ID (e.g., \"CWE-79\", \"NVD-CWE-Other\").",
      "type": "string"
    },
    "pubDays": {
      "description": "CVEs published in the last N days (max 120; values over 120 are clamped). Mutually exclusive with pubStartDate/pubEndDate.",
      "type": "integer",
      "exclusiveMinimum": 0,
      "maximum": 9007199254740991
    },
    "lastModDays": {
      "description": "CVEs last modified in the last N days (max 120; values over 120 are clamped). Mutually exclusive with lastModStartDate/lastModEndDate.",
      "type": "integer",
      "exclusiveMinimum": 0,
      "maximum": 9007199254740991
    },
    "pubStartDate": {
      "description": "ISO 8601 datetime for publication range start. Both pubStartDate and pubEndDate required together. Mutually exclusive with pubDays.",
      "type": "string"
    },
    "pubEndDate": {
      "description": "ISO 8601 datetime for publication range end. Both pubStartDate and pubEndDate required together.",
      "type": "string"
    },
    "lastModStartDate": {
      "description": "ISO 8601 datetime for last-modified range start. Both required together. Mutually exclusive with lastModDays.",
      "type": "string"
    },
    "lastModEndDate": {
      "description": "ISO 8601 datetime for last-modified range end. Both required together.",
      "type": "string"
    },
    "kevOnly": {
      "default": false,
      "description": "When true, filters results to CVEs in the CISA Known Exploited Vulnerabilities catalog.",
      "type": "boolean"
    },
    "noRejected": {
      "default": true,
      "description": "When true (default), excludes CVEs with REJECT/Rejected status.",
      "type": "boolean"
    },
    "limit": {
      "default": 20,
      "description": "Maximum number of results to return (default 20, max 2000).",
      "type": "integer",
      "minimum": 1,
      "maximum": 2000
    },
    "offset": {
      "default": 0,
      "description": "Zero-based page offset for pagination.",
      "type": "integer",
      "minimum": 0,
      "maximum": 9007199254740991
    }
  },
  "required": [
    "severityVersion",
    "kevOnly",
    "noRejected",
    "limit",
    "offset"
  ],
  "additionalProperties": false
}
view source ↗

nvd_audit_cpe

Find all CVEs affecting a specific product and version using CPE (Common Platform Enumeration). Requires either an exact CPE name (cpeName) or a partial match string (virtualMatchString) with optional version range bounds. With cpeName, NVD scopes results to configurations where the product is directly vulnerable, not merely referenced as a dependency. Use nvd_search_cpes first to resolve the correct CPE string for a product. Returns full CVE records.

read
invocation 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "nvd_audit_cpe",
    "arguments": {}
  }
}
schema 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "cpeName": {
      "description": "Full CPEv2.3 name (e.g., \"cpe:2.3:a:apache:http_server:2.4.51:*:*:*:*:*:*:*\"). NVD adds isVulnerable automatically. Mutually exclusive with virtualMatchString.",
      "type": "string"
    },
    "virtualMatchString": {
      "description": "Partial CPE match pattern (e.g., \"cpe:2.3:a:apache:http_server:*\"). Use with versionStart/versionEnd for version range audits. Mutually exclusive with cpeName.",
      "type": "string"
    },
    "versionStart": {
      "description": "Lower version bound. Requires virtualMatchString.",
      "type": "string"
    },
    "versionStartType": {
      "default": "including",
      "description": "Whether the lower version bound is inclusive or exclusive.",
      "type": "string",
      "enum": [
        "including",
        "excluding"
      ]
    },
    "versionEnd": {
      "description": "Upper version bound. Requires virtualMatchString.",
      "type": "string"
    },
    "versionEndType": {
      "default": "including",
      "description": "Whether the upper version bound is inclusive or exclusive.",
      "type": "string",
      "enum": [
        "including",
        "excluding"
      ]
    },
    "severityMin": {
      "description": "Filter out CVEs below this severity level.",
      "type": "string",
      "enum": [
        "LOW",
        "MEDIUM",
        "HIGH",
        "CRITICAL"
      ]
    },
    "limit": {
      "default": 20,
      "description": "Maximum number of CVEs to return (default 20, max 2000).",
      "type": "integer",
      "minimum": 1,
      "maximum": 2000
    }
  },
  "required": [
    "versionStartType",
    "versionEndType",
    "limit"
  ],
  "additionalProperties": false
}
view source ↗

nvd_search_cpes

Search the NVD CPE (Common Platform Enumeration) dictionary by product keyword or partial match string. Returns CPE names, human-readable titles, and deprecation status. Use before nvd_audit_cpe to resolve the correct CPE name for a product — CPE strings are precise identifiers (e.g., cpe:2.3:a:apache:http_server:2.4.51:*:*:*:*:*:*:*) and must match exactly to audit the right product.

read
invocation 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "nvd_search_cpes",
    "arguments": {}
  }
}
schema 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "keyword": {
      "description": "Product name or vendor keyword (e.g., \"apache http server\", \"openssl\", \"nginx\"). At least one of keyword or cpeMatchString is required.",
      "type": "string"
    },
    "cpeMatchString": {
      "description": "Partial CPEv2.3 pattern (e.g., \"cpe:2.3:a:apache:http_server\"). At least one of keyword or cpeMatchString is required.",
      "type": "string"
    },
    "limit": {
      "default": 20,
      "description": "Maximum number of CPE entries to return (default 20, max 10000). If totalResults > returned, narrow the keyword for a more specific result.",
      "type": "integer",
      "minimum": 1,
      "maximum": 10000
    }
  },
  "required": [
    "limit"
  ],
  "additionalProperties": false
}
view source ↗

nvd_get_cve_history

Retrieve the change history for a single CVE — CVSS score revisions, reference additions, status transitions (e.g., "Received" → "Analyzed"), and CPE configuration updates. Use when tracking a CVE's escalation or investigating when a score changed. For the current record, call nvd_get_cve instead. The NVD history endpoint is significantly slower than other NVD endpoints, especially without an API key — set NVD_API_KEY for reliable operation.

read
invocation 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "nvd_get_cve_history",
    "arguments": {
      "cveId": "<cveId>"
    }
  }
}
schema 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "cveId": {
      "type": "string",
      "description": "CVE identifier to retrieve history for (e.g., \"CVE-2021-44228\")."
    },
    "limit": {
      "default": 20,
      "description": "Maximum number of change events to return (default 20, max 2000).",
      "type": "integer",
      "minimum": 1,
      "maximum": 2000
    },
    "offset": {
      "default": 0,
      "description": "Zero-based offset for paginating through change events.",
      "type": "integer",
      "minimum": 0,
      "maximum": 9007199254740991
    }
  },
  "required": [
    "cveId",
    "limit",
    "offset"
  ],
  "additionalProperties": false
}
view source ↗

Resources

1

NVD CVE Record

Fetch a single CVE record by ID from the NIST NVD via a stable URI. Returns the same full data as nvd_get_cve for a single ID: CVSS scores, CWE weaknesses, CPE configurations, CISA KEV fields, and references.

uri nvd://cve/{cveId} mime application/json