Nist Nvd Mcp Server
Let your agent search NIST NVD CVEs by severity, CWE, CPE, and CISA KEV so dependency and incident reviews stay current during ship prep.
Overview
io.github.cyanheads/nist-nvd-mcp-server is a MCP server for the Ship phase that searches and audits NIST NVD CVEs with severity, CWE, CPE, and CISA KEV filters from your agent.
What is this MCP server?
- Search CVEs by keyword, severity, CWE, CPE, and related NVD facets
- Supports CISA Known Exploited Vulnerabilities (KEV) status in queries
- Optional NVD_API_KEY raises NVD rate limit from 5 to 50 requests per 30 seconds
- Configurable NVD_REQUEST_TIMEOUT_MS (default 10000 ms) for heavy history calls
- @cyanheads/nist-nvd-mcp-server v0.1.9 with stdio transport via Bun
- Without NVD_API_KEY: 5 requests per 30 seconds documented in server env
- With NVD_API_KEY: 50 requests per 30 seconds documented in server env
- Default NVD_REQUEST_TIMEOUT_MS 10000; README suggests up to 60000 for some history calls without a key
Community signal: 1 GitHub stars.
What problem does it solve?
Pre-release security work fragments across NVD search pages while you need fast, citeable CVE answers inside your coding session.
Who is it for?
Indie developers shipping SaaS or agents who want NVD-grounded vulnerability lookups during review and incident triage.
Skip if: Organizations that require private SBOM platforms, authenticated ticketing workflows, or guaranteed SLA vuln feeds without NVD’s public limits.
What do I get? / Deliverables
After install, your agent can pull authoritative NVD records on demand so you patch, document, and gate releases with less context switching.
- Agent-driven NVD CVE search results with severity and metadata
- CWE and CPE-filtered views for stack-specific triage
- KEV-aware answers for prioritizing exploited vulnerabilities
Recommended MCP Servers
Journey fit
Shipping safely requires knowing what CVEs affect your stack; NVD is the canonical US vulnerability feed agents should query before release. Security subphase covers vuln intelligence and audit support—this MCP wraps NVD filters your solo review would otherwise open in a browser tab.
How it compares
NVD query MCP adapter, not a full SCA scanner or penetration testing framework.
Common Questions / FAQ
Who is io.github.cyanheads/nist-nvd-mcp-server for?
It is for builders and security-minded solo devs using MCP agents who need programmatic NIST CVE search during ship and operate workflows.
When should I use io.github.cyanheads/nist-nvd-mcp-server?
Use it before releases or when triaging a reported CVE to confirm severity, affected CPEs, and CISA KEV status from primary NVD data.
How do I add io.github.cyanheads/nist-nvd-mcp-server to my agent?
Install @cyanheads/nist-nvd-mcp-server, configure stdio in your MCP host, set NVD_API_KEY if you need higher rate limits, and optionally tune NVD_REQUEST_TIMEOUT_MS.