What is the NVD (National Vulnerability Database) MCP server?

NVD (National Vulnerability Database) is a Model Context Protocol (MCP) server profile on explainx.ai. MCP lets AI hosts (e.g. Claude Desktop, Cursor) call tools and resources through a standard interface; this page summarizes categories, install hints, and community ratings.

How do MCP servers relate to agent skills?

Skills are reusable instruction packages (often SKILL.md); MCP servers expose live capabilities. Teams frequently combine both—skills for workflows, MCP for APIs and data. See explainx.ai/skills and explainx.ai/mcp-servers for parallel directories.

How are reviews shown for NVD (National Vulnerability Database)?

This profile displays 10 aggregated ratings (sample rows for discoverability plus signed-in user reviews). Average score is about 4.5 out of 5—verify behavior in your own environment before production use.

auth-security

NVD (National Vulnerability Database)▌

by marcoeg

Access the NVD to search and retrieve CVE records, including SQL injection vulnerabilities, with customizable result opt

Provides access to the NIST National Vulnerability Database through get_cve and search_cve tools for retrieving and searching CVE records with customizable result options.

github stars

★ 12

GitHub npm

Requires NVD API keySearch up to 2000 records per query

best for

/ Security researchers analyzing vulnerabilities
/ DevOps teams checking for known CVEs
/ Compliance auditing and risk assessment

capabilities

/ Retrieve specific CVE records by ID
/ Search vulnerabilities by keyword
/ Get detailed CVSS scores and weakness data
/ Filter results with exact match options
/ Return concise or detailed vulnerability information

what it does

Queries the NIST National Vulnerability Database to retrieve detailed CVE records and search for vulnerabilities by keyword.

about

NVD (National Vulnerability Database) is a community-built MCP server published by marcoeg that provides AI assistants with tools and capabilities via the Model Context Protocol. Access the NVD to search and retrieve CVE records, including SQL injection vulnerabilities, with customizable result opt It is categorized under auth security.

how to install

You can install NVD (National Vulnerability Database) in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.

license

MIT

NVD (National Vulnerability Database) is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.

readme

NVD Database MCP Server

A Model Context Protocol server implementation to query the NIST National Vulnerability Database (NVD) via its API. https://nvd.nist.gov/

As a prerequisite an NVD API key is required. (Request here).

Status

Works with Claude Desktop app and other MCP compliant hosts and clients using both the stdio and sse transports.

Features

Query specific CVEs by ID with detailed vulnerability data.
Search the NVD database by keyword with customizable result options.
Supports Server-Sent Events (SSE) transport for real-time communication.
Compatible with MCP-compliant clients like Claude Desktop.

Tools

The server implements the following tools to query the NVD Database:

get_cve:
- Description: Retrieves a CVE record by its ID.
- Parameters:
  - cve_id (str): The CVE ID (e.g., CVE-2019-1010218).
  - concise (bool, default False): If True, returns a shorter format.
- Returns: Detailed CVE info including scores, weaknesses, and references.
search_cve:
- Description: Searches the NVD database by keyword.
- Parameters:
  - keyword (str): Search term (e.g., Red Hat).
  - exact_match (bool, default False): If True, requires an exact phrase match.
  - concise (bool, default False): If True, returns shorter CVE records.
  - results (int, default 10): Maximum number of CVE records (1-2000).
- Returns: List of matching CVEs with total count.

Configuration

Create or edit the Claude Desktop configuration file located at:
- On macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
- On Windows: %APPDATA%/Claude/claude_desktop_config.json
Add the following:

{
  "mcpServers": {
    "mcp-nvd": {
      "command": "/path/to/uvx",
      "args": ["mcp-nvd"],
      "env": {
        "NVD_API_KEY": "your-api-key"
      }
    }
  }
}

Replace /path/to/uvx with the absolute path to the uvx executable. Find the path with which uvx command in a terminal. This ensures that the correct version of uvx is used when starting the server.
Restart Claude Desktop to apply the changes.

Development

Setup

Prerequisites:
- Python 3.10 or higher.
- An NVD API key (request here).
- uv package manager (installation).
Clone the Repository:

git clone https://github.com/marcoeg/mcp-nvd
cd mcp-nvd

Set Environment Variables:
- Create a .env file in the project root:
```
NVD_API_KEY=your-api-key
```
- Replace your-api-key with your NVD API key.
Install Dependencies:

uv sync
uv pip install -e .

Run with the MCP Inspector

cd /path/to/the/repo
source .env

npx @modelcontextprotocol/inspector uv \
    --directory /path/to/repo/mcp-nvd run mcp-nvd

Then open the browser to the URL indicated by the MCP Inspector, typically http://localhost:8077?proxyPort=8078

Switch freely between stdio and sse transport types in the inspector.

Testing with the SSE Client

Run the Server:

cd /path/to/the/repo
source .env

uv run mcp-nvd --transport sse --port 9090

Runs with SSE transport on port 9090 by default.

Run the Client:

Test get_cve:

uv run client.py http://localhost:9090/sse CVE-2019-1010218

Test search_cve (default 10 results):

uv run client.py http://localhost:9090/sse "search:Red Hat"

Test search_cve (exact match, 5 results):

uv run client.py http://localhost:9090/sse "search:Microsoft Windows:exact:5"

Docker Setup

Build

docker build -t mcp-nvd:latest .

Run

With .env:

docker run -d -p 9090:9090 -v /path/to/.env:/app/.env mcp-nvd:latest

With env var:

docker run -d -p 9090:9090 -e NVD_API_KEY="your-key" mcp-nvd:latest

Custom port:

docker run -d -p 8080:8080 -v /path/to/.env:/app/.env mcp-nvd:latest uv run mcp-nvd --transport sse --port 8080 --host 0.0.0.0

Verify

docker logs <container_id>
# Expect: INFO: Uvicorn running on http://0.0.0.0:9090

Test:

uv run client.py http://localhost:9090/sse CVE-2019-1010218

Notes

Ensure .env has NVD_API_KEY=your-key or use -e.
Default port: 9090.

Here’s the summary formatted as Markdown comments within a code block, suitable for inclusion in a file like docker-compose.yaml or README.md:

Using Docker Compose for Testing

This docker-compose.yaml, located in the tests/ directory, defines a service for testing the MCP-NVD server using a pre-built Docker image. It’s designed for a testing use case, similar to a standalone service like clickhouse, and assumes the image is built beforehand rather than rebuilt each time.

Assumptions

Pre-built Image: The service uses a pre-built image tagged as mcp-nvd:test, available locally or in a registry. The image is based on the Dockerfile in the parent directory, which sets up the MCP-NVD server with uv and runs it in SSE mode on port 9090.

How to Build the Image

To create the mcp-nvd:test image:

Navigate to the project root:
```
cd ./mcp-nvd
```
Build the image using the Dockerfile:
```
docker build -t mcp-nvd:test .
```
- This builds the image with all dependencies from pyproject.toml and the mcp_nvd/ module, setting the default command to run the server.

Running the Service

From the tests/ directory:

cd tests
docker-compose up

Access: The server runs at http://localhost:9090.
Stop: docker-compose down.
Environment: Ensure NVD_API_KEY is in ../.env or use docker-compose --env-file ../.env up.

Running `test_tools.py` in the Docker Compose Scenario

To run the unit tests (test_tools.py) within the Docker environment:

Start the Service: Ensure the mcp-nvd service is running via docker-compose up.
Exec into the Container:
- Identify the container name (e.g., mcp-nvd-mcp-nvd-1) with:
```
docker ps
```
- Run the tests inside the container:
```
docker exec -it mcp-nvd-mcp-nvd-1 python /app/tests/test_tools.py
```
- Note: Assumes test_tools.py is copied into the image at /app/tests/. If not, modify the Dockerfile to include:
```
COPY tests/ ./tests/
```
  Then rebuild the image with docker build -t mcp-nvd:test . from the root.
Alternative: Run tests locally against the containerized service:
```
cd tests
python test_tools.py
```
- This tests against http://localhost:9090 while the service runs.

Key Details

Port: 9090 is exposed for SSE access.
Logs: Stored in a log-data volume (optional).
Image: Must be built once and tagged as mcp-nvd:test before running docker-compose.

Credits to @sidharthrajaram for its working pattern for SSE-based MCP clients and servers: https://github.com/sidharthrajaram/mcp-sse

FAQ

What is the NVD (National Vulnerability Database) MCP server?: NVD (National Vulnerability Database) is a Model Context Protocol (MCP) server profile on explainx.ai. MCP lets AI hosts (e.g. Claude Desktop, Cursor) call tools and resources through a standard interface; this page summarizes categories, install hints, and community ratings.
How do MCP servers relate to agent skills?: Skills are reusable instruction packages (often SKILL.md); MCP servers expose live capabilities. Teams frequently combine both—skills for workflows, MCP for APIs and data. See explainx.ai/skills and explainx.ai/mcp-servers for parallel directories.
How are reviews shown for NVD (National Vulnerability Database)?: This profile displays 10 aggregated ratings (sample rows for discoverability plus signed-in user reviews). Average score is about 4.5 out of 5—verify behavior in your own environment before production use.

MCP server reviews

Ratings

4.5★★★★★10 reviews

★★★★★Shikha Mishra· Oct 10, 2024
NVD (National Vulnerability Database) is among the better-indexed MCP projects we tried; the explainx.ai summary tracks the official description.
★★★★★Piyush G· Sep 9, 2024
We evaluated NVD (National Vulnerability Database) against two servers with overlapping tools; this profile had the clearer scope statement.
★★★★★Chaitanya Patil· Aug 8, 2024
Useful MCP listing: NVD (National Vulnerability Database) is the kind of server we cite when onboarding engineers to host + tool permissions.
★★★★★Sakshi Patil· Jul 7, 2024
NVD (National Vulnerability Database) reduced integration guesswork — categories and install configs on the listing matched the upstream repo.
★★★★★Ganesh Mohane· Jun 6, 2024
I recommend NVD (National Vulnerability Database) for teams standardizing on MCP; the explainx.ai page compares cleanly with sibling servers.
★★★★★Oshnikdeep· May 5, 2024
Strong directory entry: NVD (National Vulnerability Database) surfaces stars and publisher context so we could sanity-check maintenance before adopting.
★★★★★Dhruvi Jain· Apr 4, 2024
NVD (National Vulnerability Database) has been reliable for tool-calling workflows; the MCP profile page is a good permalink for internal docs.
★★★★★Rahul Santra· Mar 3, 2024
According to our notes, NVD (National Vulnerability Database) benefits from clear Model Context Protocol framing — fewer ambiguous “AI plugin” claims.
★★★★★Pratham Ware· Feb 2, 2024
We wired NVD (National Vulnerability Database) into a staging workspace; the listing’s GitHub and npm pointers saved time versus hunting across READMEs.
★★★★★Yash Thakker· Jan 1, 2024
NVD (National Vulnerability Database) is a well-scoped MCP server in the explainx.ai directory — install snippets and categories matched our Claude Code setup.