Know when your dependencies are vulnerable.

An MCP server that reads your lockfile, checks NVD + GitHub Advisories, and tells you what actually matters — prioritized by real-world exploit probability, with exact fix versions.

Free tier — 10 scans/day, no signup. $14/mo for unlimited.

Try free — 2 min setup Go unlimited — $14/mo

> Scan my project for vulnerabilities

Using: scan_project(".")

Scanning package-lock.json... 847 packages

GHSA-29mw-wpgm-hmr9 in express@4.17.1

Severity: HIGH | EPSS: 73.2% (HIGH) | Fix: upgrade to 4.21.0

Open redirect via malicious URL in res.location()

CVE-2024-29041 in express@4.17.1

Severity: MODERATE | EPSS: 0.8% (low) | Fix: upgrade to 4.19.2

3 affected packages, 12 vulnerabilities total

Top priority: express — the GHSA-29mw vuln has 73% exploit probability

Why not just ask Claude to check?

It knows your deps

Reads your package-lock.json, requirements.txt, or go.sum and filters to only the CVEs that hit your actual dependency tree. No noise from packages you don't use.

EPSS prioritization

Most CVEs are noise. EPSS (Exploit Prediction Scoring System) scores each one by real-world exploitability. VulnFeed surfaces the ones likely to be used in real attacks.

Fix recommendations

Not just "you're vulnerable" but upgrade express 4.17.1 → 4.21.0. Cross-references npm, PyPI, and Go registries for the exact version that fixes the issue.

Continuous monitoring

Register your project once. Check back any time for new vulnerabilities. New CVE published at 3am? It's in the index by 3:15am for your morning session.

9 tools, one install

Scan a lockfile, check a package, look up a CVE, monitor a project, check alerts, update deps, list projects. Everything a security workflow needs.

Zero upstream cost

Data sources are NVD, GitHub Advisory DB, and EPSS — all free, public APIs. No vendor lock-in, no data broker middlemen. Your $14 pays for the intelligence layer, not data access.

How it compares

	Free MCP servers	Snyk / Socket	VulnFeed
CVE lookup	✓	✓	✓
Knows your deps	—	✓	✓
EPSS prioritization	—	✓	✓
Fix recommendations	—	✓	✓
Continuous monitoring	—	✓	✓
MCP-native	✓	—	✓
Free tier	✓	—	✓ (10 scans/day)
Price (paid)	Free	$25-49/dev/mo	$14/mo flat

Setup in 2 minutes

Free tier — no signup, no API key

10 scans/day, 1 monitored project. Just add this to your MCP config:

{
  "mcpServers": {
    "vulnfeed": {
      "command": "uvx",
      "args": ["vulnfeed-mcp"]
    }
  }
}

Works in Claude Code (~/.claude/settings.json), Claude Desktop (claude_desktop_config.json), Cursor, and Windsurf.

Restart your client. Ask it to scan my project for vulnerabilities. That's it.

Unlimited — $14/mo

Unlimited scans, unlimited monitored projects. Add your license key:

{
  "mcpServers": {
    "vulnfeed": {
      "command": "uvx",
      "args": ["vulnfeed-mcp"],
      "env": {
        "VULNFEED_API_KEY": "YOUR_LICENSE_KEY_HERE"
      }
    }
  }
}

Get your license key — flat rate, not per-seat, not per-repo.

Start monitoring your dependencies.

Try free — no signup Go unlimited — $14/mo