VulnFeed MCP server scans lockfiles for exploitable CVEs
VulnFeed is an MCP server by Novadyne that reads project lockfiles, checks NVD and GitHub Advisories, and surfaces dependency vulnerabilities prioritized by EPSS exploit probability — with a free tier of 10 scans/day and a $14/mo unlimited plan.
Score breakdown
VulnFeed brings EPSS-prioritized, lockfile-aware CVE scanning directly into MCP-compatible coding agents, replacing broad CVE noise with targeted, fix-ready alerts for a project's actual dependencies.
- 01VulnFeed is an MCP server by Novadyne offering 9 security tools for dependency vulnerability monitoring in AI coding agents.
- 02It reads lockfiles (`package-lock.json`, `requirements.txt`, `go.sum`) and filters CVEs to only those affecting the project's actual dependency tree.
- 03Vulnerabilities are ranked by EPSS (Exploit Prediction Scoring System) scores to highlight real-world exploitability.
VulnFeed is an MCP server from Novadyne designed to bring dependency vulnerability monitoring directly into AI coding agent workflows. It exposes nine tools covering lockfile scanning, individual package checks, CVE lookups, project monitoring, alert checking, dependency updates, and project listing. The server reads `package-lock.json`, `requirements.txt`, or `go.sum` files and filters the full CVE landscape down to only the vulnerabilities that affect a project's actual dependency tree, eliminating noise from packages not in use. Results are prioritized using EPSS (Exploit Prediction Scoring System) scores — for example, a demo scan surfaces `GHSA-29mw-wpgm-hmr9` in `[email protected]` with an EPSS score of 73.2% alongside an exact fix recommendation to upgrade to `4.21.0`. Data sources are NVD, GitHub Advisory DB, and EPSS, all described as free public APIs; new CVEs are indexed within approximately 15 minutes of publication.
The server is compatible with Claude Code, Claude Desktop, Cursor, VS Code, and Windsurf, and is installable via `uvx vulnfeed-mcp` with a two-minute setup.
Pricing has three tiers: a free tier (10 scans/day, one monitored project, no signup), a $14/mo flat unlimited plan (unlimited scans and monitored projects, not per-seat or per-repo), and a pay-per-scan x402 micropayment option at $0.01 per scan and $0.002 per CVE lookup using USDC on Base via a Coinbase facilitator. The server is compatible with Claude Code, Claude Desktop, Cursor, VS Code, and Windsurf, and is installable via `uvx vulnfeed-mcp` with a two-minute setup. The post positions VulnFeed against free generic MCP CVE tools (which lack dependency-tree awareness) and commercial tools like Snyk/Socket (which cost $25–49/dev/mo and are not MCP-native).
Key facts
- 01VulnFeed is an MCP server by Novadyne offering 9 security tools for dependency vulnerability monitoring in AI coding agents.
- 02It reads lockfiles (`package-lock.json`, `requirements.txt`, `go.sum`) and filters CVEs to only those affecting the project's actual dependency tree.
- 03Vulnerabilities are ranked by EPSS (Exploit Prediction Scoring System) scores to highlight real-world exploitability.
- 04Each finding includes an exact fix version, cross-referenced across npm, PyPI, and Go registries.
- 05Free tier: 10 scans/day, 1 monitored project, no signup required. Paid tier: $14/mo flat (unlimited scans, unlimited projects).
- 06A pay-per-scan x402 micropayment option is available at $0.01/scan and $0.002/CVE lookup, paid in USDC on Base.
- 07Compatible with Claude Code, Claude Desktop, Cursor, VS Code, and Windsurf; data sources are NVD, GitHub Advisory DB, and EPSS.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 17, 2026 · 10:39 UTC. How this works →