NIST NVD MCP. Know every vulnerability affecting your product.
NIST NVD provides direct, conversational access to the National Vulnerability Database (NVD). Your agent can search for common vulnerabilities and exposures (CVEs), map threats to specific products using CPE strings, or analyze risk based on severity levels. It’s your single source for authoritative cybersecurity product data.
Claude 
ChatGPT 
Cursor 
Gemini 
Windsurf 
VS Code 
JetBrains 
Vercel Give Claude and any AI agent real-world access
You can find all known flaws linked to a specific piece of software or hardware using its official Common Platform Enumeration (CPE) string.
The MCP lets you look up vulnerabilities based on the underlying weakness, like CWE-89, rather than just knowing the CVE ID.
You can narrow down thousands of results to see only those vulnerabilities rated as Critical or High severity for immediate action.
Retrieve a log detailing when vulnerability records were published, modified, or updated in the NVD database.
You can search the CPE dictionary by simple keywords to identify potential software and hardware products involved in an exploit.
Ask an AI about this
Waiting for input…
What AI agents can do with NIST NVD: 10 Vulnerability Tools
These tools allow you to query the National Vulnerability Database for specific CVEs, map products via CPE identifiers, and filter threats based on severity or weakness type.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using NIST NVD MCPGet Cpe By Id
Retrieves a specific entry from the CPE product dictionary using its unique UUID.
Get Cve By Id
Fetches all details for a known Common Vulnerabilities and Exposures (CVE)...
Get Cve Change History
Retrieves a detailed log showing when a specific CVE entry was modified or updated...
List Cpe Matches
Lists valid CPE match strings to help you understand product scope and applicability.
Search Cpe By Keyword
Searches the entire product dictionary for entries matching a specified keyword.
Search Cve By Cpe
Finds all associated CVE vulnerabilities that affect a specific product defined by its CPE string.
Search Cve By Cwe
Searches for CVEs linked to a weakness type, such as CWE-89 (SQL Injection).
Search Cve By Date
Filters the database to find CVEs that were published or modified within a specific...
Search Cve By Keyword
Performs a broad search across all vulnerability data using general keywords.
Search Cve By Severity
Narrows down the results to only show CVEs that meet a specific CVSS severity level...
Security and governance baked right in.
Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.
Claude AI
Open Claude Settings
Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
Add Custom Connector
Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:
https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp
Replace [YOUR_TOKEN_HERE] with your token
from cloud.vinkius.com. For OAuth-protected servers, expand
Advanced settings to add credentials.
Start a conversation
Open a new chat. The NIST NVD integration is available immediately — no restart needed.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on each call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with NIST NVD, then connect any of our 5,200+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 5,200+ others, all in one place
- Add new capabilities to your AI anytime you want
- Connections are secured and governed automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog weekly
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by NIST NVD. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS CLOUD
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on each call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Threat intelligence gathering used to be slow and fragmented.
Today, checking for vulnerabilities involves navigating multiple government sites or running complex command-line searches. You copy a product name into one search engine, then the CPE string into another, and finally cross-reference dates across third-party feeds. It's tedious work that often means missing critical information because you can't keep all those context windows open at once.
With this MCP, your agent handles the entire process conversationally. You just ask about a product or weakness. The system coordinates calls to find CPE matches, identify related CVEs, and sort them by severity—giving you a single, immediate risk assessment.
get_cve_by_id: Direct access to critical vulnerability details
The biggest time-sink was having to manually look up the full technical description for every CVE ID you found. You'd copy a number, paste it into Google, and sift through pages of developer notes just to understand what kind of exploit it was.
Now, when your agent retrieves details using get_cve_by_id, you get the entire vulnerability profile—CVSS score, affected versions, and exploitation mechanism—in one clean response. It’s instant context for every single threat.
What NIST NVD MCP does for your AI
Think of this MCP as a direct line to the global repository of security weaknesses. You connect it through Vinkius, giving your AI agent access to the world's most comprehensive archive of vulnerability and product information.
Instead of jumping between government sites or running complex queries in a dashboard, you just talk to your agent. Need to know if 'Microsoft Word 2019' has any known critical flaws? Ask it. Want to check every weakness associated with a specific component version? It handles that too. You can filter threats by how severe they are—Low, Medium, or Critical—to prioritize what needs fixing right now.
The tool also lets you track changes in the database over time, so you always know if a threat was recently added or updated. This capability makes it an essential resource for anyone managing digital risk.
019d75dd-f96b-71fb-b62f-6e3a67b1666a 
How to set up NIST NVD MCP
The bottom line is you get authoritative vulnerability intelligence without writing complex API calls or navigating dense government websites.
Subscribe to this MCP via Vinkius. You might need your NIST NVD API Key if you expect high usage.
Direct your natural language query to your AI client, referencing the product or threat details needed.
The agent uses the relevant tool to search and return a structured list of vulnerabilities, CPEs, severity scores, or historical data.
Who uses NIST NVD MCP
This MCP is for security analysts and DevOps engineers who are tired of manual threat hunting. If your job involves correlating known vulnerabilities to the software stack you manage, this tool saves hours of painful cross-referencing.
They use this MCP to quickly gather CVE details or CVSS scores when assessing a new risk, helping them prioritize mitigation efforts immediately.
They monitor the system for newly published vulnerabilities affecting specific software versions in their deployment pipeline.
They automate the gathering of vulnerability data required for security audits and generating compliance reports across multiple systems.
Benefits of connecting NIST NVD MCP
Stop guessing about risk. Use search_cve_by_severity to filter thousands of results down to only Critical or High-risk threats, letting you focus on immediate patching needs.
Pinpoint affected products instantly. Running search_cve_by_cpe correlates vulnerabilities directly with a product's official CPE string, eliminating guesswork about scope.
Contextualize your findings. Instead of just seeing a CVE ID, get detailed information via get_cve_by_id and understand the full impact on your infrastructure.
Stay ahead of zero-days. Use search_cve_by_date to monitor only vulnerabilities published in the last 48 hours, ensuring you track emerging threats rapidly.
Validate product scope using get_cpe_by_id. If you aren't sure what the official CPE for a piece of software is, this tool gives you the authoritative reference needed before running any vulnerability checks.
NIST NVD MCP use cases
Responding to an incident report
A security analyst receives a suspicious alert mentioning 'Log4j' and needs immediate context. They ask their agent, which uses search_cve_by_keyword, to pull all relevant CVEs and then use search_cve_by_severity to filter the list down only to those rated Critical, providing an actionable remediation list.
Onboarding a new product
A DevOps engineer is deploying a new internal microservice. They ask their agent to search_cpe_by_keyword for all components used in the stack, then use search_cve_by_cpe on each component's CPE ID to guarantee no known flaws are present before launch.
Preparing for an audit
A compliance officer needs proof of due diligence regarding outdated software. They instruct their agent to search_cve_by_date for vulnerabilities published in the last quarter, and then use get_cve_change_history to prove they are tracking timely updates.
Deep dive threat hunting
A researcher needs to understand a specific type of weakness. They ask their agent to search_cve_by_cwe, targeting only injection flaws (CWE-89), and then use get_cve_by_id on the most severe results for technical details.
NIST NVD MCP tradeoffs
What to watch out for, and the recommended way to handle each one.
Treating NVD as a search engine
Asking your agent, 'What's wrong with my Windows PC?' This is too vague and yields useless results because the tool requires specific product identifiers or keywords.
Be precise. Instead of general questions, use get_cpe_by_id to find the exact CPE for 'Windows 11', then run search_cve_by_cpe with that identifier. This guarantees relevant and actionable results.
Ignoring severity context
Pulling a massive list of CVEs from an entire product line, getting bogged down in thousands of 'Low' severity issues.
Always filter first. Use search_cve_by_severity to restrict results immediately to Critical or High. This focuses your attention on the vulnerabilities that pose the greatest risk.
Manually cross-referencing data
Copying a CPE string from one spreadsheet, pasting it into a browser search, then manually checking multiple vulnerability databases.
Let your agent do it. Pass the CPE to search_cve_by_cpe and get an immediate, comprehensive list of all related CVEs in one go.
When to use NIST NVD MCP
Use this MCP when you need authoritative data on known vulnerabilities tied to specific products or weaknesses. If your goal is gap analysis—figuring out what's missing from your code base—this is perfect because it gives you the reference data (CPE, CVE). However, don't use this if you need real-time runtime scanning of an active server for zero-day exploits; this MCP only accesses published historical records. If you are trying to compare vulnerability severity against internal risk scoring models, you'll want a specialized governance tool instead. Use it when the core question is: 'Is Product X vulnerable to Flaw Y?'
Frequently asked questions about NIST NVD MCP
How do I find all vulnerabilities affecting 'Apache Struts' using NIST NVD? +
You can first search_cve_by_keyword with 'Apache Struts'. Then, use the CPEs found to run search_cve_by_cpe for a complete list of related CVEs.
Can I check if my current software versions are listed in NIST NVD? +
Yes. You can start by using search_cpe_by_keyword to find the official CPE name, and then pass that identifier into search_cve_by_cpe to see all known flaws.
Does NIST NVD help me prioritize which vulnerabilities to fix? +
Absolutely. Use search_cve_by_severity to filter results by CVSS score—you can narrow the focus instantly to Critical, High, or Medium risks for quick action.
What is the difference between get_cve_by_id and search_cve_by_keyword? +
get_cve_by_id gives you everything about one specific flaw (e.g., CVE-2023-1234). search_cve_by_keyword finds all flaws related to a general topic or component name.
How do I know if the vulnerability data is recent? +
Use search_cve_by_date. This tool lets you narrow down results based on publication date, ensuring your assessment covers only recently reported threats.