NIST NVD MCP Server
Pricing
from $10.00 / 1,000 price for completing a tool calls
NIST NVD MCP Server
MCP server exposing NIST NVD CVE search, CPE search, and CVSS v2/v3/v4 calculators as tools.
Pricing
from $10.00 / 1,000 price for completing a tool calls
Rating
0.0
(0)
Developer
R.L.
Maintained by CommunityActor stats
0
Bookmarked
1
Total users
0
Monthly active users
7 hours ago
Last modified
Categories
Share
NIST NVD MCP Server
An MCP server that exposes the NIST National Vulnerability Database to AI agents as tools — CVE search, CPE (product/platform) search, and native CVSS v2/v3.0/v3.1/v4.0 scoring, matching the data behind the NVD vulnerability search, CPE search, and CVSS v4 calculator pages. Built on FastMCP and deployed as an Apify Actor in Standby mode, so it runs as a persistent HTTP endpoint rather than a one-shot batch job.
Why use this?
Security teams, vulnerability management tools, and AI coding assistants need to look up CVE details, check what a given CPE (software/hardware identifier) is vulnerable to, and score custom vulnerability findings against the CVSS standard — without hand-rolling calls to NVD's REST API or re-deriving the CVSS math. This server wraps all three into MCP tools an agent can call directly, with built-in NVD rate-limit handling and retries. Running it on Apify gives you a hosted, always-on endpoint with API-token auth and usage-based billing, instead of self-hosting.
How to use
- If you don't have one, create a free Apify account and grab your API token from console.apify.com/settings/integrations.
- Open this Actor's page in Apify Console and copy its MCP endpoint URL from the API tab (it looks like
https://rl1987--nist-nvd-mcp-server.apify.actor/mcp). - Connect your MCP client (Claude Code, Claude Desktop, an agent framework, etc.) to that URL over Streamable HTTP, passing your Apify API token as a Bearer token — see Connect to Claude Code below for the exact command.
- Call
search_cves,get_cve,search_cpes, orcalculate_cvss_scorefrom your agent. You're billed per completed tool call — see Pricing.
Connect to Claude Code
With the Actor's MCP endpoint URL and your Apify API token from above, run:
claude mcp add --transport http nist-nvd https://rl1987--nist-nvd-mcp-server.apify.actor/mcp \--header "Authorization: Bearer <YOUR_APIFY_API_TOKEN>"
Replace <YOUR_APIFY_API_TOKEN> with your own Apify API token — not the Actor owner's.
- This adds the server at
localscope (private, current project only). Add--scope userinstead to make it available in every project on your machine. - Verify it connected: run
claude mcp list, or type/mcpin an interactive Claude Code session —nist-nvdshould show as connected with 4 tools. - Try it: ask Claude "look up CVE-2021-44228 in NVD" or "what's the CVSS v4 base score for CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" — it will call the tools directly.
- Remove it later with
claude mcp remove nist-nvd.
If you're on a team and want everyone to pick up this server automatically, commit a .mcp.json with just the URL (never the token) to your repo root:
{"mcpServers": {"nist-nvd": {"type": "http","url": "https://rl1987--nist-nvd-mcp-server.apify.actor/mcp"}}}
Each teammate then runs the claude mcp add ... --scope local command above once with their own token, which layers on top of the shared .mcp.json config without ever touching the repo.
Input
No Actor input is required to start the server — it runs in Standby mode and accepts MCP tool calls directly over HTTP. Optionally set the NVD_API_KEY environment variable (free from nvd.nist.gov/developers/request-an-api-key) to raise the NVD rate limit from 5 to 50 requests per 30 seconds.
Tools
- search_cves — search CVE records by keyword, CVE ID, CPE name, CVSS v2/v3/v4 severity, CWE, vuln status, source, date range, or CISA KEV flag. Paginated.
- get_cve — fetch a single CVE record by ID (e.g.
CVE-2021-44228). - search_cpes — search CPE product/platform records by keyword, CPE match string, or CPE name ID. Paginated.
- calculate_cvss_score — score any CVSS v2, v3.0, v3.1, or v4.0 vector string (version auto-detected from the vector prefix) and return the base/temporal/environmental scores and severities.
Output
Each tool returns a human-readable summary plus structured content. Example get_cve output:
{"id": "CVE-2021-44228","sourceIdentifier": "security@apache.org","published": "2021-12-10T10:15:09.143","vulnStatus": "Analyzed","description": "Apache Log4j2 JNDI features do not protect against attacker controlled LDAP...","cvssMetrics": {"cvssV3_1": { "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL" }},"cwes": ["CWE-20", "CWE-400", "CWE-502"],"references": [{ "url": "https://logging.apache.org/log4j/2.x/security.html", "source": "security@apache.org", "tags": ["Vendor Advisory"] }],"cisaKev": true}
calculate_cvss_score output:
{"version": "3.1","vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore": 9.8,"baseSeverity": "Critical"}
Pricing
This Actor uses Pay Per Event pricing: a flat fee per completed tool call (see .actor/pay_per_event.json). There is no charge for failed calls or for connecting/idling.
Tips
- Pass a free
NVD_API_KEYto avoid NVD's tighter unauthenticated rate limit (5 req/30s vs 50 req/30s with a key). - Use
pub_start_date/pub_end_dateorlast_mod_start_date/last_mod_end_date(max 120-day span, ISO-8601) to page through large result sets instead of relying onkeywordalone. cpe_match_stringaccepts a partial CPE 2.3 URI, e.g.cpe:2.3:o:microsoft:windows_10, to browse a vendor/product family.
FAQ
This Actor only reads publicly published NIST NVD data via NVD's own REST API — it does not scrape or bypass any access controls. CVSS scoring is computed locally using a spec-conformant implementation, not by calling NIST's calculator pages. NVD API availability and rate limits are outside this Actor's control; see nvd.nist.gov/developers for their current terms. Report issues via the Actor's Issues tab.