# NIST NVD MCP

> NIST NVD connects your AI agent directly to the National Vulnerability Database. It lets you find authoritative cybersecurity data: track specific CVE IDs, map vulnerabilities to products using CPE strings, or search for weaknesses by date and severity level. Stop piecing together risk reports from multiple sources; query all the official vulnerability intelligence in one go.

## Overview
- **Category:** the-unthinkable
- **Price:** Free
- **Tags:** cve, cybersecurity, vulnerability-management, threat-intelligence, security-standards, product-security

## Description

You're connecting your AI agent straight to the National Vulnerability Database (NVD). This means you get direct access to the most authoritative cybersecurity data out there—no need to piece together risk reports from half a dozen different sources. You can track specific CVE IDs, map product weaknesses using CPE strings, or search for vulnerabilities based on severity and date. We're talking deep intelligence, pulled through your AI client.

**When you need details about one specific vulnerability**, use `get_cve_by_id`. Just give it the unique CVE identifier (like CVE-2023-1234), and you get every single detail on that weakness. If you're looking at a product, you can **find all associated vulnerabilities** using its CPE string; just run `search_cve_by_cpe`. You also wanna know what changed? Use `get_cve_change_history` to pull a log of every update or modification made to the vulnerability database—perfect for tracking data changes over time.

**If you're starting from product information**, you can first look up its full dictionary entry using its specific UUID via `get_cpe_by_id`. You wanna know what products exist? Use `search_cpe_by_keyword` to search the product dictionary with a general term, helping you spot potential software or hardware targets. To see all possible scope definitions for filtering, run `list_cpe_matches` which lists every valid CPE match string available in the dictionary.

**Filtering and Searching by Weakness**: When you're hunting for vulnerabilities based on risk, use `search_cve_by_severity`. This lets you filter the entire pool of issues down to only show weaknesses above a certain threshold—think 'Critical' or 'High.' If the weakness isn't tied to a specific product, you can target it by common weakness type (CWE) using `search_cve_by_cwe`. You also don't need product names for broad searches; run `search_cve_by_keyword` to perform a general search across the database using terms like 'SQL injection' or 'Remote Code Execution.'

**Pinpointing Threats in Time and Scope**: To focus on when things happened, use `search_cve_by_date`. You just give it a date range, and you get all CVEs published or modified within that specific window. For the deepest dive into product weakness, combine your knowledge: if you know both the CPE string *and* want to see associated weaknesses, run `search_cve_by_cpe` again. If you need to narrow down a search using general terms but also link it to an existing product identifier, you can use `search_cve_by_keyword` on the CVE side.

**The bottom line is this**: This setup lets your agent handle complex queries that would otherwise take hours of manual API calls. You don't need to know NVD's internal structure—you just tell it what you want. Whether you're checking for all weaknesses associated with 'Windows Server 2019,' tracking every change made to the database last week, or looking up general product details using CPE keywords, this gives you a direct line to industry-standard risk data.

## Tools

### get_cpe_by_id
Retrieves the full dictionary entry for a product using its specific UUID.

### get_cve_by_id
Gets all details about a vulnerability when you provide the unique CVE identifier (e.g., CVE-2023-1234).

### get_cve_change_history
Retrieves a log of every update or modification made to the vulnerability database for tracking changes.

### list_cpe_matches
Lists all valid CPE match strings available in the dictionary, useful for defining scope.

### search_cpe_by_keyword
Searches the product dictionary using a general keyword to identify potential software or hardware products.

### search_cve_by_cpe
Finds all associated CVE vulnerabilities for a specific product identified by its CPE string.

### search_cve_by_cwe
Identifies CVEs based on a common weakness type (CWE) rather than a specific product or keyword.

### search_cve_by_date
Searches for vulnerabilities published or modified within a specified date range.

### search_cve_by_keyword
Performs a broad search across the database using general terms like 'Remote Code Execution' or 'SQL injection'.

### search_cve_by_severity
Filters the entire vulnerability set to only include issues above a specified severity level (e.g., Critical).

## Prompt Examples

**Prompt:** 
```
Get the details for CVE-2023-23397.
```

**Response:** 
```
Retrieving CVE-2023-23397... This is a Critical elevation of privilege vulnerability in Microsoft Outlook with a CVSS score of 9.8. It allows an attacker to steal NTLM hashes. Would you like to see the list of affected software versions (CPEs)?
```

**Prompt:** 
```
Search for vulnerabilities in 'WordPress' with CRITICAL severity.
```

**Response:** 
```
Searching NVD... I've found several critical vulnerabilities affecting WordPress core and popular plugins. The most recent include CVE-2023-XXXX (Remote Code Execution). Shall I provide the full description for the most recent one?
```

**Prompt:** 
```
What is the official CPE name for 'Windows 11'?
```

**Response:** 
```
Querying CPE dictionary... The primary CPE 2.3 name for Windows 11 is 'cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:*:*'. I also found specific versions for various builds. Would you like to search for CVEs affecting this specific CPE?
```

## Capabilities

### Search by Product Identifier (CPE)
Find all vulnerabilities linked to a specific software package or hardware version using its official Common Platform Enumeration string.

### Look up Vulnerabilities by ID
Get full details on a single, known vulnerability (CVE) when you have the specific identifier.

### Filter by Severity Level
Restrict search results to only show vulnerabilities that meet certain risk thresholds, like 'Critical' or 'High'.

### Track Time-Bound Threats
Search for CVEs published or modified within a precise date range, helping you monitor recent threat activity.

### Identify Product Metadata
Query the official CPE dictionary by keyword to find potential software or hardware products and their identifiers.

## Use Cases

### Investigating a Zero-Day Leak
An analyst hears about a potential vulnerability affecting an old version of Apache. Instead of guessing, they use `search_cve_by_keyword` to find all related CVEs, then immediately feed the results into `search_cve_by_cpe` with the specific CPE string to confirm exactly which versions are vulnerable.

### Compliance Audit of Legacy Systems
A compliance officer needs proof that all systems running 'Java 8' were checked for vulnerabilities in Q3. They use `search_cve_by_date` to limit the scope and then combine it with a CPE search, ensuring every relevant system was audited against known threats.

### Rapid Patch Prioritization
A DevOps team discovers 50 new vulnerabilities. They don't want to read all of them. They run `search_cve_by_severity` and then `search_cve_by_cwe` together, filtering the list down instantly to only 'Critical' severity flaws related to memory corruption.

### Mapping a New Vendor Product
You get a product from a new vendor with no internal data. You run `search_cpe_by_keyword` using the vendor name or product type, then use `get_cpe_by_id` on the returned UUIDs to build an accurate inventory for your risk database.

## Benefits

- Pinpoint risk instantly. Instead of sifting through thousands of records, use `search_cve_by_severity` to limit results immediately to only Critical or High-impact vulnerabilities.
- Stop guesswork on product scope. Use `get_cpe_by_id` and `list_cpe_matches` to get the exact, authoritative identifier for any piece of software, eliminating ambiguity in your reports.
- Track emerging threats efficiently. With `search_cve_by_date`, you can monitor only vulnerabilities published last week—perfect for quick incident response checks without pulling years of noise.
- Connect the dots automatically. If you know a product (CPE), use `search_cve_by_cpe` to pull every single vulnerability associated with it, giving you a complete picture in one query.
- Audit historical changes easily. Use `get_cve_change_history` when compliance requires proof of due diligence; this tool tracks who changed what and when.

## How It Works

The bottom line is: you ask your agent a complex question using plain English, and it handles the technical translation into multiple targeted API queries.

1. Subscribe to the NIST NVD MCP Server. (Optional: Add your API Key for higher rate limits.)
2. Direct your AI client (Claude, Cursor, etc.) to formulate a question based on vulnerability criteria (e.g., 'Show me Critical CVEs for Apache last month').
3. The agent executes the necessary tool calls, receives structured data from NVD, and delivers a concise, actionable report back to you.

## Frequently Asked Questions

**How do I find vulnerabilities for a specific software version using the NIST NVD MCP Server?**
Use `search_cve_by_cpe`. You need to provide the Common Platform Enumeration (CPE) string first. This tool ensures you are only looking at CVEs that match that precise product identifier.

**What if I don't know the exact CPE, but I know the software name?**
Start with `search_cpe_by_keyword`. This tool scans the dictionary by keyword and gives you a list of potential UUIDs. You can then feed those IDs into other tools for deeper analysis.

**Can I filter my searches to only show 'Critical' flaws? Which tool do I use?**
You must use `search_cve_by_severity`. This tool lets you specify the minimum severity level, ensuring your results are prioritized for risk mitigation.

**How can I check if a vulnerability has been updated recently?**
Use `get_cve_change_history` or combine it with `search_cve_by_date`. This lets you see when the record was modified, giving you insight into whether the data is fresh.

**How do I use the get_cve_by_id tool to retrieve basic details for a known CVE?**
You pass the full identifier, like 'CVE-2023-1234', directly to the tool. The response gives you immediate context: CVSS score, description summary, and initial affected software types.

**If I know a weakness type but not a product, how do I use search_cve_by_cwe?**
Use the tool with the specific CWE ID (e.g., 'CWE-89'). This returns all known CVEs associated with that vulnerability class, letting you assess the general risk area.

**What is the purpose of the get_cpe_by_id tool?**
This tool checks a specific UUID against the CPE dictionary. It verifies if the identifier is valid and returns the structured product name, confirming its existence in the NVD catalog.

**When should I use search_cve_by_keyword instead of searching by product?**
Use `search_cve_by_keyword` when you're investigating a general threat or exploit name, rather than focusing on a single piece of software. This casts a wider net for related vulnerabilities.

**Is an API Key mandatory?**
No. The NVD API allows public access without a key. However, using a key increases your rate limit significantly (up to 50 requests per 30 seconds).

**What is a CPE string?**
CPE (Common Platform Enumeration) is a structured naming scheme for information technology systems, software, and packages (e.g., cpe:2.3:a:microsoft:exchange_server:2019).

**How far back can I search for vulnerabilities?**
The NVD contains vulnerabilities dating back to the late 1990s. You can search the entire database by ID or keyword.