Vulners MCP¶

Bring Vulners Intelligence, Assessment, and Exploits into your LLMs and agentic workflows. Break cutoffs, ground answers in live facts, and keep tokens lean.

Vulners continuously collects and normalizes vulnerability intelligence from hundreds of upstream sources into a graph‑linked corpus (CVE ↔ advisories ↔ patches ↔ exploits). Vulners MCP exposes that corpus to AI systems via Model Context Protocol (MCP) and compatible toolchains, so copilots and agents can fetch current, structured context on demand—instead of guessing from stale embeddings.

Availability

Hosted MCP service: https://mcp.vulners.com/mcp
Container image: available in major registries (incl. Docker Hub)
Open source: https://github.com/vulnersCom/vulners-mcp
Fastest try‑out: connect with Claude Desktop or Cursor; both speak MCP and make it trivial to issue tool calls from a chat.

Why this matters¶

CVE data moves fast. LLMs hallucinate, go stale, and bloat prompts with out‑of‑date KBs. With Vulners MCP, your agent calls for the ground truth when needed and gets normalized JSON it can cite—reducing hallucinations, keeping replies concise, and enabling verifiable links to vendor advisories, patches, and exploit intel.

What you get¶

Live, structured answers for CVEs and products—no more “I don’t know that CVE.”
Agent‑native interface (MCP/stdio or HTTP) that plugs into Claude Desktop, Cursor, and other tool‑aware frameworks.
Prioritization signals in the same records your tools fetch (e.g., exploitation activity, KEV presence, scoring metrics) to triage quickly.
Cross‑product reach: a single entrypoint to Vulners Intelligence, Assessment, and Exploits in an LLM/agent workflow.

How it works (at a glance)¶

User asks about a CVE or product in your copilot.
Agent calls a Vulners MCP tool with the ID (or product/version).
Vulners resolves and enriches from the corpus (advisories, exploitation, metrics, references).
Agent replies with citations and optional remediation context.

Tasks → Tools¶

Focus on the outcome; pick the tool by the information you have.

A) Get ground‑truth intelligence for vulnerability analysis¶

You know the ID (CVE or vendor bulletin): use bulletin_by_id
Params: id (string | string[])
Returns: bulletin record(s) as structured JSON. Use this to drive explanations, links, and prioritization.
Tip: Batch multiple CVE IDs in a single call for efficiency.
You’re exploring without IDs (topics, vendors, recent activity): use search_lucene
Params: query (string), skip (int), size (int)
Returns: a pageable search response with hits you can expand via bulletin_by_id.
You need CPEs or fast entity hints: use search_cpe (CPE strings) and query_autocomplete (type‑ahead for vendors/products/CVEs).
Returns: structured lists suitable for driving the next tool call.

Follow‑up: After discovery, collect the CVE IDs from results and call bulletin_by_id to retrieve full, normalized records with references you can show to users.

B) Assess assets for vulnerability impact (is X affected?)¶

Exact software version audit: use audit_software
Params: body (object with software identifiers — CPE or name+version)
Returns: structured assessment JSON indicating relevant advisories/CVEs for that specific version.
Linux package list audit (per distro): use audit_linux_packages
Params: os (string), version (string), package (string[]), include_candidates? (boolean)
Returns: per‑package assessment with applicable advisories/CVEs suitable for ticketing/patch planning.
Helper: get_supported_os lists valid distro identifiers/versions.

Follow‑up: For any CVE IDs surfaced by audits, batch them into bulletin_by_id to retrieve richer details (patches, references, exploitation indicators) that your copilot can cite.

Field notes (derived from implementation): Tool outputs are deterministic JSON specific to each method (e.g., search responses, bulletins, audit summaries). Where present, records include references (vendor advisories/patches), exploitation/KEV indicators, and scoring metrics suitable for triage and ranking.

Quickstart (two minutes)¶

1) Hosted — point your agent to https://mcp.vulners.com/mcp (HTTP transport), set VULNERS_API_KEY, and connect from Claude Desktop or Cursor.
2) Container — run the image (e.g., Docker Hub) and connect via stdio (Claude Desktop) or HTTP.
3) Open source — clone github.com/vulnersCom/vulners-mcp and run locally; great for customization.

Auth: Provide your Vulners API key via the VULNERS_API_KEY configuration (env/server) or pass it as an HTTP X-Api-Key header when calling the hosted endpoint.

Routing policy (teach your agent):

Known ID → bulletin_by_id
No ID / discovery → search_lucene
Exact version → audit_software
Linux packages → get_supported_os → audit_linux_packages
Need CPEs → search_cpe
After audits → batch CVE IDs → bulletin_by_id

Implementation patterns¶

Answer with citations. Always surface references so users can verify vendor advisories/patches.
Prioritize like an analyst. Elevate items with exploitation in the wild or CISA KEV; use scoring metrics for tie‑breaks.
Keep tokens tight. Request only the fields you need; expand after the user asks.
Batch where possible. One bulletin_by_id call can cover many CVEs.

FAQ¶

How is this different from querying a vector DB?
Vectors store your knowledge; MCP fetches live ground truth at answer time with verifiable sources.

What’s the fastest way to try it?
Connect Claude Desktop or Cursor to the hosted endpoint and ask about a recent CVE or audit a package list.

Can we run it ourselves?
Yes—use the container image or the open‑source server and point your agents at your instance.

TL;DR¶

Ground your agents in live vulnerability facts from Vulners Intelligence, Assessment, and Exploits.
Use the right tool for the task: ID → bulletin_by_id, discovery → search_lucene, audits → audit_software / audit_linux_packages.
Deliver verifiable, prioritized answers with minimal tokens and zero hallucinations.