by marcoeg
Access the NVD to search and retrieve CVE records, including SQL injection vulnerabilities, with customizable result opt
Queries the NIST National Vulnerability Database to retrieve detailed CVE records and search for vulnerabilities by keyword.
NVD (National Vulnerability Database) is a community-built MCP server published by marcoeg that provides AI assistants with tools and capabilities via the Model Context Protocol. Access the NVD to search and retrieve CVE records, including SQL injection vulnerabilities, with customizable result opt It is categorized under auth security.
You can install NVD (National Vulnerability Database) in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.
MIT
NVD (National Vulnerability Database) is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
Add new capabilities to Claude beyond text generation
Example
Access external data sources, execute code, interact with tools and services
Transform Claude from chatbot to action-taking agent
Provide Claude with access to relevant context and data
Example
Load project documentation, access knowledge bases, query databases
Get more accurate, context-aware responses
Automate multi-step workflows combining AI and external tools
Example
Research → Summarize → Create document → Send notification
Complete complex tasks end-to-end without manual steps
Share your MCP server with the developer community
We evaluated NVD (National Vulnerability Database) against two servers with overlapping tools; this profile had the clearer scope statement.
NVD (National Vulnerability Database) is among the better-indexed MCP projects we tried; the explainx.ai summary tracks the official description.
NVD (National Vulnerability Database) reduced integration guesswork — categories and install configs on the listing matched the upstream repo.
Strong directory entry: NVD (National Vulnerability Database) surfaces stars and publisher context so we could sanity-check maintenance before adopting.
Useful MCP listing: NVD (National Vulnerability Database) is the kind of server we cite when onboarding engineers to host + tool permissions.
We wired NVD (National Vulnerability Database) into a staging workspace; the listing’s GitHub and npm pointers saved time versus hunting across READMEs.
Useful MCP listing: NVD (National Vulnerability Database) is the kind of server we cite when onboarding engineers to host + tool permissions.
Strong directory entry: NVD (National Vulnerability Database) surfaces stars and publisher context so we could sanity-check maintenance before adopting.
NVD (National Vulnerability Database) has been reliable for tool-calling workflows; the MCP profile page is a good permalink for internal docs.
According to our notes, NVD (National Vulnerability Database) benefits from clear Model Context Protocol framing — fewer ambiguous “AI plugin” claims.
showing 1-10 of 56
A Model Context Protocol server implementation to query the NIST National Vulnerability Database (NVD) via its API. https://nvd.nist.gov/
As a prerequisite an NVD API key is required. (Request here).
Works with Claude Desktop app and other MCP compliant hosts and clients using both the stdio and sse transports.
The server implements the following tools to query the NVD Database:
get_cve:
cve_id (str): The CVE ID (e.g., CVE-2019-1010218).concise (bool, default False): If True, returns a shorter format.search_cve:
keyword (str): Search term (e.g., Red Hat).exact_match (bool, default False): If True, requires an exact phrase match.concise (bool, default False): If True, returns shorter CVE records.results (int, default 10): Maximum number of CVE records (1-2000).Create or edit the Claude Desktop configuration file located at:
~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%/Claude/claude_desktop_config.jsonAdd the following:
{
"mcpServers": {
"mcp-nvd": {
"command": "/path/to/uvx",
"args": ["mcp-nvd"],
"env": {
"NVD_API_KEY": "your-api-key"
}
}
}
}
Replace /path/to/uvx with the absolute path to the uvx executable. Find the path with which uvx command in a terminal. This ensures that the correct version of uvx is used when starting the server.
Restart Claude Desktop to apply the changes.
Prerequisites:
uv package manager (installation).Clone the Repository:
git clone https://github.com/marcoeg/mcp-nvd
cd mcp-nvd
Set Environment Variables:
.env file in the project root:
NVD_API_KEY=your-api-key
your-api-key with your NVD API key.Install Dependencies:
uv sync
uv pip install -e .
cd /path/to/the/repo
source .env
npx @modelcontextprotocol/inspector uv \
--directory /path/to/repo/mcp-nvd run mcp-nvd
Then open the browser to the URL indicated by the MCP Inspector, typically http://localhost:8077?proxyPort=8078
Switch freely between
stdioandssetransport types in the inspector.
cd /path/to/the/repo
source .env
uv run mcp-nvd --transport sse --port 9090
9090 by default.Test get_cve:
uv run client.py http://localhost:9090/sse CVE-2019-1010218
Test search_cve (default 10 results):
uv run client.py http://localhost:9090/sse "search:Red Hat"
Test search_cve (exact match, 5 results):
uv run client.py http://localhost:9090/sse "search:Microsoft Windows:exact:5"
docker build -t mcp-nvd:latest .
With .env:
docker run -d -p 9090:9090 -v /path/to/.env:/app/.env mcp-nvd:latest
With env var:
docker run -d -p 9090:9090 -e NVD_API_KEY="your-key" mcp-nvd:latest
Custom port:
docker run -d -p 8080:8080 -v /path/to/.env:/app/.env mcp-nvd:latest uv run mcp-nvd --transport sse --port 8080 --host 0.0.0.0
docker logs <container_id>
# Expect: INFO: Uvicorn running on http://0.0.0.0:9090
Test:
uv run client.py http://localhost:9090/sse CVE-2019-1010218
.env has NVD_API_KEY=your-key or use -e.9090.Here’s the summary formatted as Markdown comments within a code block, suitable for inclusion in a file like docker-compose.yaml or README.md:
This docker-compose.yaml, located in the tests/ directory, defines a service for testing the MCP-NVD server using a pre-built Docker image. It’s designed for a testing use case, similar to a standalone service like clickhouse, and assumes the image is built beforehand rather than rebuilt each time.
mcp-nvd:test, available locally or in a registry. The image is based on the Dockerfile in the parent directory, which sets up the MCP-NVD server with uv and runs it in SSE mode on port 9090.To create the mcp-nvd:test image:
cd ./mcp-nvd
docker build -t mcp-nvd:test .
pyproject.toml and the mcp_nvd/ module, setting the default command to run the server.From the tests/ directory:
cd tests
docker-compose up
http://localhost:9090.docker-compose down.NVD_API_KEY is in ../.env or use docker-compose --env-file ../.env up.test_tools.py in the Docker Compose ScenarioTo run the unit tests (test_tools.py) within the Docker environment:
mcp-nvd service is running via docker-compose up.mcp-nvd-mcp-nvd-1) with:
docker ps
docker exec -it mcp-nvd-mcp-nvd-1 python /app/tests/test_tools.py
test_tools.py is copied into the image at /app/tests/. If not, modify the Dockerfile to include:
COPY tests/ ./tests/
Then rebuild the image with docker build -t mcp-nvd:test . from the root.cd tests
python test_tools.py
http://localhost:9090 while the service runs.log-data volume (optional).mcp-nvd:test before running docker-compose.Credits to @sidharthrajaram for its working pattern for SSE-based MCP clients and servers: https://github.com/sidharthrajaram/mcp-sse
Prerequisites
Time Estimate
15-60 minutes depending on server complexity
Steps
Troubleshooting
✓ Do
✗ Don't
💡 Pro Tips
Architecture
Model Context Protocol standardizes how AI hosts (Claude, Cursor) communicate with external tools and data sources through server implementations.
Protocols
Compatibility
✓ Use when
Use when you need Claude to access external data, execute actions, or integrate with tools. Best for extending AI capabilities beyond conversation.
✗ Avoid when
Avoid when native integrations exist (use official APIs directly), for real-time critical systems, or when security/compliance requires zero external dependencies.