vulnerability-intelligence

The vulnerability-intelligence MCP server offers a modular suite of security tools that provide CVE lookups, EPSS scoring, CVSS calculations, vulnerability searches, exploit availability checks, vulnerability timelines, VEX status checks, and Python package vulnerability assessments. You can connect to this server using an MCP client (for example Claude Desktop or Cursor IDE) via the embedded SSE endpoint or by using the server’s fetch capability through the provided npx command. Once connected, you can issue natural-language style prompts that map to the individual tools, such as asking for a CVE lookup, EPSS score for a CVE, or a package vulnerability check, and the server will route your query to the appropriate tool and return structured results with sources and references.

Prerequisites:\n- Node.js and npm (for using the hosted MCP fetch client via npx) or Docker if you prefer containerized usage. Optional: uv/Python if you want to run a local development setup as described in the repository notes.\n\nRecommended local setup (Node/npx):\n1. Ensure you have Node.js and npm installed.\n2. You don't need to install anything specific for the server; you will use npx to fetch the MCP server client.\n3. Connect to the hosted server or run locally via the provided methods in your MCP client configuration.\n\nAlternative: Docker (local development)\n1. Clone the repository or pull the corresponding image if provided.\n2. Follow the Docker setup in the repository to build and run the container (docker compose up --build -d).\n3. The server will be available at http://localhost:8000/sse.\n\nAlternative: uv/Python local setup\n1. Install uv if you are developing against the Python tooling: pip install uv.\n2. Install dependencies and run the local MCP server as documented in the repository (e.g., uv run mcp-simple-tool).

Tips and common considerations:\n- The FETCH_URL environment variable must point to the SSE endpoint of the hosted MCP server when using the npx client. Make sure the URL is accessible from your network.\n- When configuring clients (Claude, Cursor), you typically provide either a fetch-based client or an SSE URL, depending on the client capabilities. The hosted server demonstrates both options in the README.\n- Tools cover a broad range of security intelligence tasks. If you use natural language prompts, the MCP server will route to: cve_lookup, get_epss_score, calculate_cvss_score, search_vulnerabilities, get_exploit_availability, get_vulnerability_timeline, get_vex_status, and package_vulnerability_check.\n- Ensure you have network access to external data sources (NVD, FIRST EPSS, PyPI, etc.) for accurate results.\n- If you encounter rate limits or API changes, check the tool modules for updated data source endpoints or cache strategies.\n- For local testing, you can use the example queries provided in the README to validate each tool’s response format and ensure proper integration with your MCP client.\n- The npm package name for the Node-based MCP fetch client used here is @modelcontextprotocol/server-fetch.