[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-917":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":23,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":44,"readmeContent":45,"aiSummary":46,"trendingCount":16,"starSnapshotCount":16,"syncStatus":14,"lastSyncTime":47,"discoverSource":48},917,"cve-mcp-server","mukul975\u002Fcve-mcp-server","mukul975","Production-grade MCP server giving Claude 27 security intelligence tools across 21 APIs — CVE lookup, EPSS scoring, CISA KEV, MITRE ATT&CK, Shodan, VirusTotal, and more.","https:\u002F\u002Fwww.mahipal.engineer\u002FCVE-MCP-Server\u002F",null,"Python",996,159,2,4,0,74,132,436,222,100.61,"Apache License 2.0",false,"main",[26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43],"cisa-kev","claude-ai","cve","cybersecurity","devsecops","epss","fastmcp","mcp","mitre-attack","model-context-protocol","nvd","osv","python","security","shodan","threat-intelligence","virustotal","vulnerability-management","2026-06-12 04:00:06","# 🛡️ CVE MCP Server\n\n![CVE MCP Server](assets\u002Fbanner.png)\n\n**AI-powered security intelligence at your fingertips — 27 tools, 21 data sources, one protocol.**\n\n[![Python 3.10+](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPython-3.10%2B-3776AB?style=flat-square&logo=python&logoColor=white)](https:\u002F\u002Fpython.org)\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-green?style=flat-square)](LICENSE)\n[![MCP Compatible](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FMCP-Compatible-blue?style=flat-square)](https:\u002F\u002Fmodelcontextprotocol.io)\n[![Security Tool](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FSecurity-Intelligence-red?style=flat-square&logo=shield)](https:\u002F\u002Fgithub.com\u002Fmukul975\u002Fcve-mcp-server)\n[![FastMCP](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FFastMCP-Python-00d4ff?style=flat-square)](https:\u002F\u002Fgofastmcp.com)\n\nA production-grade **Model Context Protocol (MCP) server** that turns Claude into a full-spectrum security analyst. Instead of juggling 15+ browser tabs across NVD, EPSS, CISA KEV, Shodan, VirusTotal, and GreyNoise, ask Claude one question and get correlated intelligence in seconds. Built with Python, FastMCP, httpx, aiosqlite, Pydantic v2, and defusedxml.\n\n**The problem:** Triaging a single CVE means querying NVD for CVSS scores, EPSS for exploitation probability, CISA KEV for active exploitation status, GitHub for patches, and VirusTotal for malware associations — then mentally correlating everything. For 50 CVEs, that's an entire day lost.\n\n**The solution:** CVE MCP Server gives Claude direct access to 27 security tools across 21 APIs. Ask \"Should we patch CVE-2024-3400?\" and Claude queries every relevant source in parallel, calculates a composite risk score, and delivers a prioritized recommendation with evidence.\n\n---\n\n## 📑 Table of contents\n\n- [Architecture](#-architecture)\n- [Tool catalog](#-tool-catalog-27-tools)\n- [Installation](#-installation)\n- [API keys setup](#-api-keys-setup)\n- [Configuration](#%EF%B8%8F-configuration)\n- [Quick start](#-quick-start)\n- [Usage examples](#-usage-examples)\n- [Risk score explained](#-risk-score-explained)\n- [Data sources](#-data-sources)\n- [Running tests](#-running-tests)\n- [Architecture deep dive](#-architecture-deep-dive)\n- [Security and privacy](#-security-and-privacy)\n- [Troubleshooting](#-troubleshooting)\n- [Roadmap and known limitations](#-roadmap-and-known-limitations)\n- [Contributing](#-contributing)\n- [License](#-license)\n\n---\n\n## 🏗️ Architecture\n\n```\n┌─────────────────────────────────────────────────────────────────────┐\n│                        Claude Desktop \u002F Claude Code                 │\n│                         (MCP Client via stdio)                      │\n└──────────────────────────────┬──────────────────────────────────────┘\n                               │ Model Context Protocol (stdio)\n                               ▼\n┌─────────────────────────────────────────────────────────────────────┐\n│                        CVE MCP Server (Python)                      │\n│  ┌─────────────┐  ┌──────────────┐  ┌───────────────┐              │\n│  │  27 MCP      │  │  Composite   │  │  SQLite Cache │              │\n│  │  Tools       │  │  Risk Engine │  │  + Audit Log  │              │\n│  └──────┬──────┘  └──────┬───────┘  └───────┬───────┘              │\n│         │                │                   │                      │\n│  ┌──────┴────────────────┴───────────────────┴──────┐               │\n│  │              Async HTTP Client (httpx)            │               │\n│  │         Rate Limiter · Response Cache             │               │\n│  └──────────────────────┬───────────────────────────┘               │\n└─────────────────────────┼───────────────────────────────────────────┘\n                          │ HTTPS (outbound only)\n          ┌───────────────┼───────────────────────────┐\n          ▼               ▼                           ▼\n┌──────────────┐ ┌──────────────┐            ┌──────────────┐\n│ VULNERABILITY│ │   NETWORK    │            │   THREAT     │\n│ INTELLIGENCE │ │ INTELLIGENCE │            │ INTELLIGENCE │\n├──────────────┤ ├──────────────┤            ├──────────────┤\n│ NVD API 2.0  │ │ AbuseIPDB    │            │ VirusTotal   │\n│ EPSS \u002F FIRST │ │ GreyNoise v3 │            │ MalwareBazaar│\n│ CISA KEV     │ │ Shodan       │            │ ThreatFox    │\n│ OSV.dev      │ │ CIRCL PDNS   │            │ Ransomwhere  │\n│ GitHub GHSA  │ │              │            │ AlienVault   │\n│ MITRE ATT&CK │ │              │            │ URLScan.io   │\n└──────────────┘ └──────────────┘            └──────────────┘\n```\n\nAll traffic is **outbound HTTPS only** — no inbound ports are opened. API keys are loaded from environment variables and never logged. Private\u002Finternal IP addresses are blocked from all lookup tools.\n\n---\n\n## 🔍 Tool catalog (27 tools)\n\n### Core Vulnerability Intelligence (8 tools)\n\n| Tool | Description | API Key Required | Example Usage |\n|------|-------------|-----------------|---------------|\n| `lookup_cve` | Fetch detailed CVE record from NVD including CVSS scores, CWEs, affected products, references, and timeline | Free \u002F No key (key recommended) | `lookup_cve(\"CVE-2024-3400\")` |\n| `search_cves` | Search NVD for CVEs by keyword, product name, severity, or date range | Free \u002F No key (key recommended) | `search_cves(keyword=\"Apache Log4j\", severity=\"CRITICAL\")` |\n| `get_epss_score` | Get EPSS exploitation probability (0–1) and percentile for one or more CVEs | Free \u002F No key | `get_epss_score(\"CVE-2024-3400\")` |\n| `check_kev_status` | Check whether a CVE appears in CISA's Known Exploited Vulnerabilities catalog | Free \u002F No key | `check_kev_status(\"CVE-2021-44228\")` |\n| `get_cvss_details` | Parse and explain a CVSS v3.1 vector string with per-metric breakdown | Free \u002F No key | `get_cvss_details(\"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:H\u002FI:H\u002FA:H\")` |\n| `get_cwe_info` | Look up Common Weakness Enumeration details by CWE ID from embedded database | Free \u002F No key | `get_cwe_info(\"CWE-79\")` |\n| `get_cve_references` | Extract and categorize all reference links for a CVE (patches, advisories, exploits) | Free \u002F No key (key recommended) | `get_cve_references(\"CVE-2023-44487\")` |\n| `bulk_cve_lookup` | Batch-fetch details for up to 20 CVEs in a single call with parallel enrichment | Free \u002F No key (key recommended) | `bulk_cve_lookup([\"CVE-2024-3400\", \"CVE-2023-44487\"])` |\n\n### Exploit & Attack Intelligence (4 tools)\n\n| Tool | Description | API Key Required | Example Usage |\n|------|-------------|-----------------|---------------|\n| `search_exploits` | Search GitHub for public proof-of-concept exploits and exploit code repositories | `GITHUB_TOKEN` (optional) | `search_exploits(\"CVE-2024-3400\")` |\n| `get_mitre_techniques` | Map a CVE or CWE to relevant MITRE ATT&CK techniques, tactics, and mitigations | Free \u002F No key | `get_mitre_techniques(\"CVE-2021-44228\")` |\n| `check_poc_availability` | Determine if known proof-of-concept code exists for a CVE across multiple sources | `GITHUB_TOKEN` (optional) | `check_poc_availability(\"CVE-2024-3400\")` |\n| `get_attack_patterns` | Retrieve CAPEC attack pattern details associated with a CWE or CVE | Free \u002F No key | `get_attack_patterns(\"CWE-89\")` |\n\n### Phase 3: Advanced Risk & Reporting (4 tools)\n\n| Tool | Description | API Key Required | Example Usage |\n|------|-------------|-----------------|---------------|\n| `calculate_risk_score` | Compute composite 0–100 risk score using CVSS, EPSS, KEV status, and PoC availability | Free \u002F No key (key recommended) | `calculate_risk_score(\"CVE-2024-3400\")` |\n| `generate_risk_report` | Generate a formatted executive security report for one or more CVEs with recommendations | Free \u002F No key (key recommended) | `generate_risk_report([\"CVE-2024-3400\", \"CVE-2023-44487\"])` |\n| `prioritize_cves` | Rank a list of CVEs by composite risk score for triage prioritization | Free \u002F No key (key recommended) | `prioritize_cves([\"CVE-2024-3400\", \"CVE-2023-4966\", \"CVE-2023-44487\"])` |\n| `get_trending_cves` | Retrieve trending CVEs based on high EPSS scores and recent KEV additions | Free \u002F No key | `get_trending_cves(days=7, min_epss=0.5)` |\n\n### Network Intelligence (4 tools)\n\n| Tool | Description | API Key Required | Example Usage |\n|------|-------------|-----------------|---------------|\n| `lookup_ip_reputation` | Check IP address abuse history and confidence score via AbuseIPDB | `ABUSEIPDB_API_KEY` | `lookup_ip_reputation(\"185.220.101.34\")` |\n| `check_ip_noise` | Query GreyNoise for IP scan\u002Fattack activity, classification, and associated CVEs | `GREYNOISE_API_KEY` | `check_ip_noise(\"185.220.101.34\")` |\n| `shodan_host_lookup` | Get open ports, services, banners, and vulnerabilities for an IP via Shodan | `SHODAN_API_KEY` | `shodan_host_lookup(\"8.8.8.8\")` |\n| `passive_dns_lookup` | Retrieve historical DNS resolution data for a domain from CIRCL Passive DNS | `CIRCL_PDNS_USER` + `CIRCL_PDNS_PASSWORD` | `passive_dns_lookup(\"example.com\")` |\n\n### Threat Intelligence (4 tools)\n\n| Tool | Description | API Key Required | Example Usage |\n|------|-------------|-----------------|---------------|\n| `virustotal_lookup` | Analyze file hashes, URLs, domains, or IPs against 70+ antivirus engines | `VIRUSTOTAL_API_KEY` | `virustotal_lookup(hash=\"44d88612fea8a8f36de82e1278abb02f\")` |\n| `search_malware` | Search MalwareBazaar for malware samples by hash, tag, or signature | `ABUSECH_AUTH_KEY` (optional) | `search_malware(tag=\"Emotet\")` |\n| `search_iocs` | Query ThreatFox for Indicators of Compromise linked to malware families | `ABUSECH_AUTH_KEY` (optional) | `search_iocs(malware=\"CobaltStrike\")` |\n| `check_ransomware` | Look up ransomware payment addresses and transaction data from Ransomwhere | Free \u002F No key | `check_ransomware(address=\"bc1q...\")` |\n\n### DevSecOps (3 tools)\n\n| Tool | Description | API Key Required | Example Usage |\n|------|-------------|-----------------|---------------|\n| `scan_dependencies` | Scan package names and versions against OSV.dev for known vulnerabilities | Free \u002F No key | `scan_dependencies(ecosystem=\"PyPI\", packages={\"requests\": \"2.28.0\"})` |\n| `scan_github_advisories` | Search GitHub Security Advisories by ecosystem, package, or severity | `GITHUB_TOKEN` (optional) | `scan_github_advisories(ecosystem=\"pip\", package=\"django\")` |\n| `urlscan_check` | Submit a URL for scanning or retrieve previous scan results from URLScan.io | `URLSCAN_API_KEY` | `urlscan_check(\"https:\u002F\u002Fsuspicious-site.com\")` |\n\n---\n\n## 📦 Installation\n\n### Prerequisites\n\n- **Python 3.10+** (3.11 or 3.12 recommended)\n- **pip** or **uv** package manager\n- **Git** for cloning the repository\n- A terminal with access to environment variables\n\n### Step-by-step setup\n\n```bash\n# 1. Clone the repository\ngit clone https:\u002F\u002Fgithub.com\u002Fmukul975\u002Fcve-mcp-server.git\ncd cve-mcp-server\n\n# 2. Create and activate a virtual environment\npython -m venv venv\n\n# macOS \u002F Linux:\nsource venv\u002Fbin\u002Factivate\n\n# Windows (PowerShell):\n.\\venv\\Scripts\\Activate.ps1\n\n# Windows (CMD):\nvenv\\Scripts\\activate.bat\n\n# 3. Install dependencies\npip install -e .\n\n# 4. Copy and configure environment variables\ncp .env.example .env\n# Edit .env with your API keys (see API Keys Setup section below)\n\n# 5. Verify the server starts\npython -m cve_mcp.server\n```\n\n### Using uv (faster alternative)\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fmukul975\u002Fcve-mcp-server.git\ncd cve-mcp-server\nuv venv\nsource .venv\u002Fbin\u002Factivate  # or .venv\\Scripts\\activate on Windows\nuv pip install -e .\ncp .env.example .env\n```\n\n### With test dependencies\n\n```bash\npip install -e \".[test]\"\n```\n\n---\n\n## 🔑 API keys setup\n\nAPI keys are organized by priority — get the **Tier 1** keys first for maximum coverage with free tools, then progressively add Tier 2 and Tier 3 as needed.\n\n### Tier 1: High priority (free, instant access, maximum coverage)\n\n| ENV Variable | Enables | How to Get | Free Tier Limits | Required? |\n|-------------|---------|-----------|-----------------|-----------|\n| `NVD_API_KEY` | 10× faster NVD lookups (50 req\u002F30s vs 5) | [Request at nvd.nist.gov](https:\u002F\u002Fnvd.nist.gov\u002Fdevelopers\u002Frequest-an-api-key) | **50 requests per 30 seconds** | Optional but strongly recommended |\n| `GITHUB_TOKEN` | GitHub Advisory search + exploit PoC search | [Create PAT at github.com\u002Fsettings\u002Ftokens](https:\u002F\u002Fgithub.com\u002Fsettings\u002Ftokens) | **5,000 requests\u002Fhour** | Optional (60\u002Fhr without) |\n\n### Tier 2: Recommended (free accounts, significant value)\n\n| ENV Variable | Enables | How to Get | Free Tier Limits | Required? |\n|-------------|---------|-----------|-----------------|-----------|\n| `ABUSEIPDB_KEY` | IP reputation lookups | [Register at abuseipdb.com](https:\u002F\u002Fwww.abuseipdb.com\u002Fregister) | **1,000 checks\u002Fday** | Required for IP tools |\n| `VIRUSTOTAL_KEY` | File\u002FURL\u002Fdomain\u002FIP malware scanning | [Sign up at virustotal.com](https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Fjoin-us) | **500 lookups\u002Fday, 4\u002Fmin** | Required for VT tools |\n| `GREYNOISE_API_KEY` | IP noise\u002Fscan activity intelligence | [Sign up at viz.greynoise.io](https:\u002F\u002Fviz.greynoise.io\u002Fsignup) | **50 queries\u002Fweek** (community) | Required for GreyNoise tools |\n| `SHODAN_KEY` | Host\u002Fport\u002Fservice reconnaissance | [Register at account.shodan.io](https:\u002F\u002Faccount.shodan.io) | Basic host lookups (free tier) | Required for Shodan tools |\n\n### Tier 3: Optional (extended intelligence)\n\n| ENV Variable | Enables | How to Get | Free Tier Limits | Required? |\n|-------------|---------|-----------|-----------------|-----------|\n| `URLSCAN_KEY` | URL scanning and website analysis | [Sign up at urlscan.io](https:\u002F\u002Furlscan.io\u002Fuser\u002Fsignup) | **5,000 public scans\u002Fday** | Optional |\n| `CIRCL_PDNS_USER` | CIRCL Passive DNS lookups | [Request access at circl.lu](https:\u002F\u002Fwww.circl.lu\u002Fservices\u002Fpassive-dns\u002F) | Partner access only | Optional |\n| `CIRCL_PDNS_PASS` | CIRCL Passive DNS authentication | Provided with CIRCL registration | Partner access only | Optional |\n\n> **⚡ Zero-key start:** Eight tools work without any API key — EPSS, CISA KEV, OSV.dev, MITRE ATT&CK, CWE lookups, CVSS parsing, Ransomwhere, and NVD (at reduced rate). You can start using the server immediately and add keys progressively.\n\n---\n\n## ⚙️ Configuration\n\n### Environment variables (.env.example)\n\n```env\n# NVD API key — free at https:\u002F\u002Fnvd.nist.gov\u002Fdevelopers\u002Frequest-an-api-key\n# Without key: 5 req\u002F30s  |  With key: 50 req\u002F30s\nNVD_API_KEY=\n\n# GitHub token — increases rate limit from 60\u002Fhr to 5000\u002Fhr (no scopes needed)\nGITHUB_TOKEN=\n\n# Threat intelligence keys (all optional — tools degrade gracefully without them)\nABUSEIPDB_KEY=       # https:\u002F\u002Fwww.abuseipdb.com\u002Faccount\u002Fapi\nVIRUSTOTAL_KEY=      # https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Fjoin-us\nURLSCAN_KEY=         # https:\u002F\u002Furlscan.io\u002Fuser\u002Fsignup\nSHODAN_KEY=          # https:\u002F\u002Faccount.shodan.io\u002Fregister\n\n# GreyNoise — uses \u002Fv3\u002Fip\u002F{ip} endpoint (NOT the deprecated \u002Fv3\u002Fcommunity)\nGREYNOISE_API_KEY=   # https:\u002F\u002Fviz.greynoise.io\u002Fsignup\n\n# CIRCL Passive DNS — requires partner registration\nCIRCL_PDNS_USER=\nCIRCL_PDNS_PASS=\n\n# Optional overrides\nCACHE_DB_PATH=       # defaults to ~\u002F.cve-mcp\u002Fcache.db\nAUDIT_LOG_PATH=      # defaults to ~\u002F.cve-mcp\u002Faudit.log\nREQUEST_TIMEOUT=30   # HTTP timeout in seconds\nMAX_RETRIES=3        # retries on transient errors\n```\n\n### Claude Desktop configuration\n\n**macOS:** `~\u002FLibrary\u002FApplication Support\u002FClaude\u002Fclaude_desktop_config.json`\n**Windows:** `%APPDATA%\\Claude\\claude_desktop_config.json`\n\n```json\n{\n  \"mcpServers\": {\n    \"cve-mcp\": {\n      \"command\": \"python\",\n      \"args\": [\"-m\", \"cve_mcp.server\"],\n      \"cwd\": \"\u002Fabsolute\u002Fpath\u002Fto\u002Fcve-mcp-server\",\n      \"env\": {\n        \"NVD_API_KEY\": \"your-key-here\",\n        \"GITHUB_TOKEN\": \"ghp_xxxxxxxxxxxxxxxxxxxx\",\n        \"ABUSEIPDB_KEY\": \"your-abuseipdb-key\",\n        \"GREYNOISE_API_KEY\": \"your-greynoise-key\",\n        \"SHODAN_KEY\": \"your-shodan-key\"\n      }\n    }\n  }\n}\n```\n\n> ⚠️ **Important:** Always use **absolute paths**. Fully quit Claude Desktop (Cmd+Q \u002F Alt+F4) after changing the config — reloading is not enough.\n\n### Claude Code configuration\n\n```bash\n# Basic setup\nclaude mcp add cve-mcp -- python -m cve_mcp.server\n\n# With environment variables from a .env file\nclaude mcp add cve-mcp --env-file .env -- python -m cve_mcp.server\n\n# Verify it's connected\nclaude mcp list\n```\n\n---\n\n## 🚀 Quick start\n\n### Step 1: Install (2 minutes)\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fmukul975\u002Fcve-mcp-server.git\ncd cve-mcp-server\npython -m venv venv && source venv\u002Fbin\u002Factivate\npip install -e .\n```\n\n### Step 2: Test with free tools first\n\nNo `.env` file needed. Add the server to Claude Desktop or Claude Code and try:\n\n> **\"What is CVE-2021-44228? Is it actively exploited?\"**\n\nClaude will use `lookup_cve` (NVD), `get_epss_score` (EPSS), and `check_kev` (CISA KEV) — all free, no keys required.\n\n> **\"Scan these Python packages for vulnerabilities: requests 2.28.0, flask 2.2.0, django 3.2.0\"**\n\n### Step 3: Add your first key for 10× performance\n\n```bash\necho 'NVD_API_KEY=your-key-here' > .env\n```\n\nRequest a free NVD key at [nvd.nist.gov](https:\u002F\u002Fnvd.nist.gov\u002Fdevelopers\u002Frequest-an-api-key) — instant via email, increases rate limit from **5 to 50 requests per 30 seconds**.\n\n### Step 4: Full power mode\n\nOnce you've added Tier 1 and Tier 2 keys:\n\n> **\"Calculate the risk score for CVE-2024-3400 and tell me if we should patch immediately.\"**\n\n---\n\n## 💬 Usage examples\n\n### Scenario 1: \"Should we patch Log4Shell immediately?\"\n\n> **You:** Analyze if CVE-2021-44228 (Log4Shell) needs immediate patching. Give me the risk score and your recommendation.\n\nClaude orchestrates multiple tools behind the scenes:\n\n```\n→ lookup_cve(\"CVE-2021-44228\")\n  CVSS 3.1: 10.0 (CRITICAL) | AV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:H\u002FI:H\u002FA:H\n\n→ get_epss_score(\"CVE-2021-44228\")\n  EPSS: 0.97531 (97.5%) | Percentile: 99.99%\n\n→ check_kev(\"CVE-2021-44228\")\n  ✅ IN CISA KEV — Added 2021-12-10 | Known ransomware use: Yes\n\n→ check_poc_exists(\"CVE-2021-44228\")\n  ✅ WEAPONIZED — 300+ public PoC repositories found\n\n→ calculate_risk_score(\"CVE-2021-44228\")\n  Risk Score: 97\u002F100 (CRITICAL) | Urgency: PATCH IMMEDIATELY\n```\n\n**Claude's response:** \"CVE-2021-44228 scores **97\u002F100 (CRITICAL)**. Remote code execution in Apache Log4j, CVSS 10.0, 97.5% EPSS probability, confirmed active exploitation in CISA KEV including ransomware campaigns, 300+ public exploits. **Patch immediately.**\"\n\n### Scenario 2: \"Scan my Python requirements.txt\"\n\n> **You:** Scan these dependencies: requests==2.28.0, flask==2.2.0, django==3.2.0, pillow==9.0.0, cryptography==37.0.0\n\n```\n→ scan_dependencies(ecosystem=\"PyPI\", packages={...})\n  Found 12 vulnerabilities across 4 packages\n```\n\n**Claude's response:** \"Found **12 vulnerabilities** across your packages. **Immediate action:** Django 3.2.0 (3 critical CVEs including SQL injection), Pillow 9.0.0 (heap overflow), cryptography 37.0.0 (OpenSSL chain). Upgrade to: django>=4.2.16, pillow>=10.3.0, cryptography>=42.0.0.\"\n\n### Scenario 3: \"Investigate a suspicious IP\"\n\n> **You:** Investigate suspicious IP 185.220.101.34 — is it malicious?\n\n```\n→ check_ip_reputation(\"185.220.101.34\")\n  AbuseIPDB Confidence: 100% | Reports: 4,832 | ISP: Tor Exit Node\n\n→ check_ip_noise(\"185.220.101.34\")\n  GreyNoise: MALICIOUS | Tags: [Tor Exit Node, Web Scanner]\n  CVEs targeted: CVE-2024-3400, CVE-2023-46805\n\n→ shodan_host_lookup(\"185.220.101.34\")\n  Open ports: 22, 80, 443, 9001 | OS: Linux\n```\n\n**Claude's response:** \"**185.220.101.34 is a known Tor exit node** rated 100% malicious by AbuseIPDB with 4,832 abuse reports. GreyNoise confirms active scanning for CVE-2024-3400 (Palo Alto) and CVE-2023-46805 (Ivanti). **Recommendation: Block at firewall.**\"\n\n### Scenario 4: \"Generate an executive security report\"\n\n> **You:** Generate an executive security report for: CVE-2024-3400, CVE-2023-44487, CVE-2023-4966, CVE-2024-21887\n\n```\n→ compare_cves([...])\n  Compiles: NVD, EPSS, KEV, PoC availability, MITRE ATT&CK mapping\n  Generates: Ranked risk table, remediation timeline, executive summary\n```\n\n---\n\n## 📊 Risk score explained\n\nThe `calculate_risk_score` tool produces a **composite risk score from 0 to 100** by weighting four independent signals.\n\n### The formula\n\n```\nRisk Score = (CVSS × 0.20) + (EPSS × 0.35) + (KEV × 0.30) + (PoC × 0.15)\n```\n\n| Component | Weight | What It Captures |\n|-----------|--------|-----------------|\n| **CVSS v3.1 Base Score** | 20% | Theoretical worst-case severity |\n| **EPSS Probability** | 35% | Statistical likelihood of exploitation in the next 30 days |\n| **CISA KEV Status** | 30% | Confirmed active exploitation in the wild |\n| **PoC Availability** | 15% | Public exploit code lowers the barrier for attackers |\n\n### Boost multipliers\n\n- **KEV + active PoC** → ×1.15\n- **CVSS ≥ 9.0 + EPSS > 0.7** → ×1.10\n- **Published \u003C 7 days ago** → ×1.05\n\nScore is capped at 100.\n\n### Risk labels\n\n| Score | Label | Recommended Action |\n|-------|-------|--------------------|\n| **0 – 25** | **LOW** | Schedule for next maintenance window |\n| **26 – 50** | **MEDIUM** | Patch within 30 days per SLA |\n| **51 – 75** | **HIGH** | Patch within 7 days; escalate to team lead |\n| **76 – 100** | **CRITICAL** | **Patch within 24–48 hours.** Emergency change window. |\n\n### Why these weights?\n\n**EPSS gets the highest weight (35%)** because it's the single best predictor of actual exploitation — far better than CVSS alone. A CVSS 10.0 with EPSS 0.01 is theoretically dangerous but practically unlikely. **KEV at 30%** is ground truth: confirmed exploitation, not a prediction. **CVSS at 20%** captures severity context for new CVEs with insufficient EPSS data. **PoC at 15%** reflects that public exploits dramatically accelerate real-world attacks.\n\n---\n\n## 🌐 Data sources\n\n| # | Source | Data Provided | Auth | Rate Limit (Free) |\n|---|--------|--------------|------|-------------------|\n| 1 | **NVD** | CVE details, CVSS, CWEs, CPEs | `apiKey` header (optional) | 5 req\u002F30s (50 with key) |\n| 2 | **EPSS** | Exploitation probability and percentiles | None | 1,000 req\u002Fmin |\n| 3 | **CISA KEV** | Actively exploited CVE catalog | None | Static file |\n| 4 | **OSV.dev** | Open-source package vulnerabilities | None | No published limit |\n| 5 | **GitHub Advisories** | GHSA advisories, patches, affected versions | `Bearer` token | 60\u002Fhr (5,000 with PAT) |\n| 6 | **MITRE ATT&CK** | TTPs, techniques, mitigations | None | No published limit |\n| 7 | **AbuseIPDB** | IP abuse confidence, reports, ISP, geo | `Key` header | 1,000 checks\u002Fday |\n| 8 | **GreyNoise** | IP noise\u002Fscan activity, classification | `key` header | 50 queries\u002Fweek |\n| 9 | **Shodan** | Open ports, services, banners, CVEs | `key` query param | Basic lookups |\n| 10 | **VirusTotal** | Multi-AV scan results, reputation | `x-apikey` header | 500\u002Fday, 4\u002Fmin |\n| 11 | **MalwareBazaar** | Malware samples, hashes, signatures | `Auth-Key` header | Fair use |\n| 12 | **ThreatFox** | IOCs linked to malware families | `Auth-Key` header | Fair use |\n| 13 | **Ransomwhere** | Ransomware BTC addresses and transactions | None | No published limit |\n| 14 | **URLScan.io** | URL scanning, screenshots, DOM | `API-Key` header | 5,000 public scans\u002Fday |\n| 15 | **CIRCL PDNS** | Historical passive DNS records | HTTP Basic Auth | Partner access |\n| 16 | **GitHub Code Search** | Exploit PoC repository search | `Bearer` token | Shared with GHSA limits |\n| 17 | **Exploit-DB** | Public exploit database CSV | None | No published limit |\n| 18 | **Nuclei Templates** | Community detection templates | None | No published limit |\n| 19 | **MSRC** | Microsoft security advisories | None | No published limit |\n| 20 | **Red Hat Security** | Red Hat CVE advisories | None | No published limit |\n| 21 | **Ubuntu Security** | Ubuntu CVE tracker | None | No published limit |\n\n---\n\n## 🧪 Running tests\n\n```bash\n# Run the full test suite\npytest tests\u002F -v\n\n# Run specific test files\npytest tests\u002Ftest_validators.py tests\u002Ftest_risk_scorer.py -v\n\n# Run with coverage\npytest tests\u002F -v --cov=src\u002Fcve_mcp --cov-report=term-missing\n```\n\n### Test with the MCP Inspector\n\n```bash\nnpx @modelcontextprotocol\u002Finspector python -m cve_mcp.server\n```\n\nOpens at `http:\u002F\u002Flocalhost:6274` — interactively test each tool, view input schemas, and inspect response formats.\n\n### What tests cover\n\n- **Unit tests:** Risk score calculation, CVSS vector parsing, input validation\n- **Integration tests:** Tool registration, parameter validation, error handling for missing keys\n- **Cache tests:** SQLite cache writes, TTL expiration, cache hit\u002Fmiss\n- **Security tests:** Private IP blocking, XML bomb protection (defusedxml), input sanitization\n\n---\n\n## 🏛️ Architecture deep dive\n\n### File structure\n\n```\nsrc\u002Fcve_mcp\u002F\n├── server.py              # FastMCP server — all 27 @mcp.tool() definitions\n├── config.py              # Environment config and API base URLs\n├── models.py              # Pydantic models (CVERecord, KEVEntry, EPSSScore, ...)\n├── audit.py               # Rotating audit log (50MB, 5 backups)\n├── api\u002F\n│   ├── nvd_client.py      # NVD REST API v2.0\n│   ├── osv_client.py      # OSV.dev package vulnerability API\n│   ├── epss_client.py     # FIRST EPSS API\n│   ├── kev_client.py      # CISA KEV catalog\n│   ├── ip_intel.py        # AbuseIPDB + GreyNoise\n│   ├── domain_intel.py    # crt.sh + CIRCL passive DNS\n│   ├── shodan_client.py   # Shodan host intelligence\n│   ├── hash_intel.py      # MalwareBazaar + VirusTotal\n│   ├── url_safety.py      # URLScan.io\n│   ├── malware_intel.py   # ThreatFox IOC lookup\n│   ├── ransomware_intel.py# Ransomwhere Bitcoin address lookup\n│   ├── exploit_intel.py   # GitHub PoC\u002Fexploit search\n│   ├── vendor_advisory.py # MSRC + Red Hat + Ubuntu advisories\n│   ├── attack_mapping.py  # MITRE ATT&CK STIX mapping\n│   ├── cve_timeline.py    # CVE event timeline builder\n│   ├── dependency_scan.py # OSV-based dependency scanning\n│   ├── poc_checker.py     # GitHub + Exploit-DB + Nuclei PoC search\n│   ├── report_generator.py# Vuln report + CVE comparison matrix\n│   └── rate_limiter.py    # Token bucket rate limiter for NVD\n├── cache\u002F\n│   └── sqlite_cache.py    # Async SQLite cache with per-key TTL\n└── utils\u002F\n    ├── validators.py       # CVE ID normalization, IP\u002Fhash validation\n    └── risk_scorer.py      # Composite risk score computation\n```\n\n### Caching strategy\n\n| Resource | TTL |\n|----------|-----|\n| CVE records (NVD) | 1 hour |\n| EPSS scores | 6 hours |\n| KEV catalog | 1 hour |\n| IP \u002F domain intel | 1 hour |\n| Exploit-DB CSV | 24 hours |\n| ATT&CK STIX data | 24 hours |\n| Ransomware intel | 24 hours |\n\n### Audit log\n\nEvery tool invocation is logged to `~\u002F.cve-mcp\u002Faudit.log`:\n\n```json\n{\n  \"timestamp\": \"2026-04-14T10:23:45.123Z\",\n  \"tool\": \"lookup_cve\",\n  \"parameters\": {\"cve_id\": \"CVE-2024-3400\"},\n  \"duration_ms\": 342,\n  \"cache_hit\": false,\n  \"status\": \"ok\"\n}\n```\n\nAPI keys and response payloads are **never written to audit logs**.\n\n---\n\n## 🔐 Security and privacy\n\n### What data leaves your machine\n\n- **Outbound HTTPS only** — no inbound ports opened, no telemetry\n- CVE IDs, IPs, hashes, domains, and package names are sent to respective APIs for lookup\n- API responses are cached locally in SQLite — cached data stays on your machine\n\n### Private IP blocking\n\nAll network intelligence tools block private and reserved IP ranges before any external API call:\n- `10.0.0.0\u002F8`, `172.16.0.0\u002F12`, `192.168.0.0\u002F16` (RFC 1918)\n- `127.0.0.0\u002F8` (loopback), `169.254.0.0\u002F16` (link-local)\n- `::1`, `fc00::\u002F7` (IPv6 private)\n\n### API key protection\n\n- Keys loaded from environment variables only — never hardcoded\n- `.env` is gitignored\n- Keys never logged, cached, or included in audit entries\n\n### XML safety\n\n`defusedxml` is used for all XML parsing to prevent XML bomb attacks (billion laughs, XXE injection).\n\n---\n\n## 🔧 Troubleshooting\n\n### Server won't start\n\n```bash\n# Ensure virtual environment is activated and package is installed\npip install -e .\npython --version  # must be 3.10+\n```\n\n**Claude Desktop doesn't show the hammer icon (🔨)**\n- Check for JSON syntax errors (no trailing commas) in your config\n- Use **absolute paths** — relative paths silently fail\n- Fully quit Claude Desktop (Cmd+Q \u002F Alt+F4) and restart\n\n### NVD rate limited\n\n```bash\n# Add your free NVD API key to .env\nNVD_API_KEY=your-key-here\n# https:\u002F\u002Fnvd.nist.gov\u002Fdevelopers\u002Frequest-an-api-key\n```\n\nThe server queues excess requests automatically, but with a key you get 10× throughput.\n\n### GreyNoise 401 Unauthorized\n\n```bash\n# Verify your key works:\ncurl -H \"key: YOUR_KEY\" https:\u002F\u002Fapi.greynoise.io\u002Fv3\u002Fip\u002F8.8.8.8\n# The server uses \u002Fv3\u002Fip\u002F{ip} — NOT the deprecated \u002Fv3\u002Fcommunity endpoint\n```\n\n### Windows encoding issues\n\n```powershell\n$env:PYTHONUTF8 = \"1\"\n$env:PYTHONIOENCODING = \"utf-8\"\n```\n\n---\n\n## 🗺️ Roadmap and known limitations\n\n### What the server does NOT do\n\n- **No active scanning** — intelligence\u002Flookup only, does not probe your infrastructure\n- **No write operations** — reads from external APIs only (except URLScan submissions)\n- **No CVSS v4.0 scoring** — built-in calculator handles v3.1 only; NVD-provided v4.0 scores are displayed but not recalculated\n\n### Known API limitations\n\n- NVD returns max **2,000 results per query**\n- EPSS scores for brand-new CVEs (\u003C 24 hours old) may not exist yet\n- CISA KEV updates on US business days only\n- GreyNoise community tier: **50 queries\u002Fweek**\n- VirusTotal free tier: **4 requests\u002Fminute**\n- CIRCL PDNS requires manual registration and approval\n- Ransomwhere has a **90-day embargo** on new addresses\n\n### Planned improvements\n\n- CVSS v4.0 local calculator\n- Webhook\u002Falerting for KEV additions and EPSS score changes on a CVE watchlist\n- STIX 2.1 export for SIEM integration\n- Docker container with zero-install deployment\n- Streamable HTTP transport (MCP SSE)\n- Additional sources: Censys, SecurityTrails, VulnCheck\n\n---\n\n## 🤝 Contributing\n\nContributions are welcome.\n\n### Adding a new tool\n\n1. Add the tool function in `server.py` with the `@mcp.tool()` decorator\n2. Add input validation in `utils\u002Fvalidators.py`\n3. Implement the API client in `api\u002F`\n4. Add tests in `tests\u002F`\n5. Update this README\n\n```python\n@mcp.tool()\nasync def my_new_tool(param: str, ctx: Context = None) -> str:\n    \"\"\"\n    One-line description for Claude to know when to use this tool.\n\n    Args:\n        param: Description of the parameter\n    \"\"\"\n    app = _get_app(ctx)\n    # validate → cache check → API call → cache write → audit → return\n```\n\n### Testing requirements\n\n- All new tools must have at least one offline test with mocked responses\n- Risk score changes must include formula verification test cases\n- Network tools must include a test verifying private IP blocking\n- All tests must pass: `pytest tests\u002F -v`\n\n---\n\n## 📄 License\n\nMIT License — see [LICENSE](LICENSE) for details.\n\n```\nCopyright (c) 2025-2026 Mahipal Jangra (mukul975)\n```\n\n---\n\n\u003Cp align=\"center\">\n  Built with 🔐 by \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fmukul975\">Mahipal Jangra\u003C\u002Fa> · Berlin, Germany\u003Cbr>\n  \u003Cem>Turning security intelligence into conversation.\u003C\u002Fem>\n\u003C\u002Fp>\n","CVE MCP Server 是一个生产级的 Model Context Protocol (MCP) 服务器，为 Claude 提供了27种安全智能工具，涵盖21个API接口，包括CVE查询、EPSS评分、CISA KEV、MITRE ATT&CK、Shodan和VirusTotal等。项目使用Python编写，并结合FastMCP、httpx、aiosqlite、Pydantic v2和defusedxml等技术，实现了高效的数据处理与分析能力。它能够将多源的安全信息整合到单一查询中，极大地简化了安全分析师的工作流程，特别适用于需要快速评估和响应大量CVE漏洞的企业环境或安全团队。通过向Claude提出一个问题，用户可以在几秒钟内获得来自多个数据源的相关情报以及基于这些情报的风险评估建议。","2026-06-11 02:40:15","CREATED_QUERY"]