NIST NVD MCP Server avatar

NIST NVD MCP Server

Pricing

from $10.00 / 1,000 price for completing a tool calls

Go to Apify Store
NIST NVD MCP Server

NIST NVD MCP Server

MCP server exposing NIST NVD CVE search, CPE search, and CVSS v2/v3/v4 calculators as tools.

Pricing

from $10.00 / 1,000 price for completing a tool calls

Rating

0.0

(0)

Developer

R.L.

R.L.

Maintained by Community

Actor stats

0

Bookmarked

1

Total users

0

Monthly active users

7 hours ago

Last modified

Share

NIST NVD MCP Server

An MCP server that exposes the NIST National Vulnerability Database to AI agents as tools — CVE search, CPE (product/platform) search, and native CVSS v2/v3.0/v3.1/v4.0 scoring, matching the data behind the NVD vulnerability search, CPE search, and CVSS v4 calculator pages. Built on FastMCP and deployed as an Apify Actor in Standby mode, so it runs as a persistent HTTP endpoint rather than a one-shot batch job.

Why use this?

Security teams, vulnerability management tools, and AI coding assistants need to look up CVE details, check what a given CPE (software/hardware identifier) is vulnerable to, and score custom vulnerability findings against the CVSS standard — without hand-rolling calls to NVD's REST API or re-deriving the CVSS math. This server wraps all three into MCP tools an agent can call directly, with built-in NVD rate-limit handling and retries. Running it on Apify gives you a hosted, always-on endpoint with API-token auth and usage-based billing, instead of self-hosting.

How to use

  1. If you don't have one, create a free Apify account and grab your API token from console.apify.com/settings/integrations.
  2. Open this Actor's page in Apify Console and copy its MCP endpoint URL from the API tab (it looks like https://rl1987--nist-nvd-mcp-server.apify.actor/mcp).
  3. Connect your MCP client (Claude Code, Claude Desktop, an agent framework, etc.) to that URL over Streamable HTTP, passing your Apify API token as a Bearer token — see Connect to Claude Code below for the exact command.
  4. Call search_cves, get_cve, search_cpes, or calculate_cvss_score from your agent. You're billed per completed tool call — see Pricing.

Connect to Claude Code

With the Actor's MCP endpoint URL and your Apify API token from above, run:

claude mcp add --transport http nist-nvd https://rl1987--nist-nvd-mcp-server.apify.actor/mcp \
--header "Authorization: Bearer <YOUR_APIFY_API_TOKEN>"

Replace <YOUR_APIFY_API_TOKEN> with your own Apify API token — not the Actor owner's.

  • This adds the server at local scope (private, current project only). Add --scope user instead to make it available in every project on your machine.
  • Verify it connected: run claude mcp list, or type /mcp in an interactive Claude Code session — nist-nvd should show as connected with 4 tools.
  • Try it: ask Claude "look up CVE-2021-44228 in NVD" or "what's the CVSS v4 base score for CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" — it will call the tools directly.
  • Remove it later with claude mcp remove nist-nvd.

If you're on a team and want everyone to pick up this server automatically, commit a .mcp.json with just the URL (never the token) to your repo root:

{
"mcpServers": {
"nist-nvd": {
"type": "http",
"url": "https://rl1987--nist-nvd-mcp-server.apify.actor/mcp"
}
}
}

Each teammate then runs the claude mcp add ... --scope local command above once with their own token, which layers on top of the shared .mcp.json config without ever touching the repo.

Input

No Actor input is required to start the server — it runs in Standby mode and accepts MCP tool calls directly over HTTP. Optionally set the NVD_API_KEY environment variable (free from nvd.nist.gov/developers/request-an-api-key) to raise the NVD rate limit from 5 to 50 requests per 30 seconds.

Tools

  • search_cves — search CVE records by keyword, CVE ID, CPE name, CVSS v2/v3/v4 severity, CWE, vuln status, source, date range, or CISA KEV flag. Paginated.
  • get_cve — fetch a single CVE record by ID (e.g. CVE-2021-44228).
  • search_cpes — search CPE product/platform records by keyword, CPE match string, or CPE name ID. Paginated.
  • calculate_cvss_score — score any CVSS v2, v3.0, v3.1, or v4.0 vector string (version auto-detected from the vector prefix) and return the base/temporal/environmental scores and severities.

Output

Each tool returns a human-readable summary plus structured content. Example get_cve output:

{
"id": "CVE-2021-44228",
"sourceIdentifier": "security@apache.org",
"published": "2021-12-10T10:15:09.143",
"vulnStatus": "Analyzed",
"description": "Apache Log4j2 JNDI features do not protect against attacker controlled LDAP...",
"cvssMetrics": {
"cvssV3_1": { "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL" }
},
"cwes": ["CWE-20", "CWE-400", "CWE-502"],
"references": [{ "url": "https://logging.apache.org/log4j/2.x/security.html", "source": "security@apache.org", "tags": ["Vendor Advisory"] }],
"cisaKev": true
}

calculate_cvss_score output:

{
"version": "3.1",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 9.8,
"baseSeverity": "Critical"
}

Pricing

This Actor uses Pay Per Event pricing: a flat fee per completed tool call (see .actor/pay_per_event.json). There is no charge for failed calls or for connecting/idling.

Tips

  • Pass a free NVD_API_KEY to avoid NVD's tighter unauthenticated rate limit (5 req/30s vs 50 req/30s with a key).
  • Use pub_start_date/pub_end_date or last_mod_start_date/last_mod_end_date (max 120-day span, ISO-8601) to page through large result sets instead of relying on keyword alone.
  • cpe_match_string accepts a partial CPE 2.3 URI, e.g. cpe:2.3:o:microsoft:windows_10, to browse a vendor/product family.

FAQ

This Actor only reads publicly published NIST NVD data via NVD's own REST API — it does not scrape or bypass any access controls. CVSS scoring is computed locally using a spec-conformant implementation, not by calling NIST's calculator pages. NVD API availability and rate limits are outside this Actor's control; see nvd.nist.gov/developers for their current terms. Report issues via the Actor's Issues tab.