Score breakdown
Popularity is tracked separately. Support, ads, sponsorships, and tips never affect these signals.
Why it matters
Useful for security and DevOps teams that need to triage CVEs in volume: mukul975/cve-mcp-server is the Apache-2.0 production-grade MCP server that turns AI agents into full-spectrum security analysts by exposing 28 tools across 24 security-intelligence APIs (NVD, EPSS, CISA KEV, MITRE ATT&CK, Shodan, VirusTotal, GreyNoise, GitHub Advisory) through the standard Model Context Protocol transport; fo
Who should use it
Who should skip it
Avoid running mukul975/cve-mcp-server in production until you have reviewed its permissions, data-access scope, and failure modes in a sandbox.
About this signal
mukul975/cve-mcp-server is tracked by RepoRadar as a production-grade mcp server for in the Apache-2.0 production-grade MCP server giving AI section. It was first seen on 2026-06-25 and last updated on 2026-06-25. The current verdict is 'try now' with a Gold tier and moderate setup difficulty. The standout signals for mukul975/cve-mcp-server are workflow potential (9.7) and maturity (8.9), while setup ease (6.4) trails — that balance shapes where it fits best. This page summarizes the evidence RepoRadar has captured from captured source metadata. The score, tier, risk label, and verdict on this page are never influenced by sponsorship, ads, or tips — they reflect only the usefulness, popularity, novelty, momentum, maturity, and evidence signals described in the RepoRadar methodology.
How this item is evaluated
RepoRadar assigned mukul975/cve-mcp-server a composite score of 8.2 out of 10, placing it in the Gold tier. This score combines weighted sub-signals: usefulness (35%), novelty (18%), momentum (14%), maturity (10%), open-source/build quality (7%), evidence quality (6%), workflow potential (6%), and setup ease (4%). Popularity is tracked separately at 1052.0 and never affects the composite score or tier. The risk label of 'medium' reflects inherent user-impacting hazards, not generic novelty. Items with no risk flag may still require normal code review before production use.
Putting this into practice? Read How to vet an AI agent or MCP server before you wire it in for the checklist behind this score.
Risk explanation
**Most tools require paid third-party API keys (Shodan, VirusTotal, GreyNoise, etc.).** The README has an API keys setup section; the user must obtain the relevant API key for each tool they want to enable, and some tools (Shodan, VirusTotal) are paid third-party services. Free tiers exist for most, but production use typically requires paid plans. Users should review the API key setup section before assuming free-tier functionality.; **The server makes outbound HTTPS calls to 24 external APIs.** The security-and-privacy section documents the outbound-only HTTPS posture (the server only makes outbound HTTPS calls to the 24 APIs, never accepts inbound connections, and the SQLite cache is local), but security teams running the server should confirm the deployment's egress allowlist includes the 24 API endpoints and that API keys are stored in environment variables (not committed to the repo or the MCP transport).; **The composite risk score is a heuristic, not an industry-standard scoring system.** The `triage_cve` orchestrator returns a composite risk score with a CISA KEV hard override (actively-exploited CVEs escalate to critical regardless of CVSS / EPSS), but the composite score is a project-defined heuristic, not CVSS or EPSS or any industry-standard scoring system. Users should treat the composite score as a triage aid, not a substitute for human review, and the source URLs in the evidence trail are the canonical input..