VulnFeed
Summary
Most dependency scanners flood you with every CVE touching your language ecosystem — not your actual packages, not ranked by anything useful, not telling you which version fixes it.
VulnFeed is an MCP server that reads your lockfile directly, cross-references NVD and GitHub Advisories against only the packages you ship, and surfaces results ranked by EPSS — the exploit probability score that separates CVEs attackers are actually using from the ones sitting dormant for years. It runs locally via a single uvx command and feeds results into Claude Code, Cursor, VS Code, or Windsurf. The free tier caps at 10 scans per day and one monitored project; teams that scan frequently or monitor multiple repos will hit that ceiling fast. At that point, the choice is a paid upgrade or a full migration to something like Snyk, which adds code-level remediation context VulnFeed does not provide.
Bottom line: Solid choice for a developer who wants real exploit-ranked CVE triage inside their AI coding client — but teams needing code-level fix guidance or IDE-native PR suggestions will outgrow it before their second production service.
Pricing Plans
Subscription- Price
- $14/mo
- Free Tier
- 10 scans/day, 1 monitored project
Free
10 scans/day, 1 monitored project, no signup
- Basic scans
- EPSS prioritization
- Fix recommendations
Unlimited
Unlimited scans and monitored projects
- Unlimited usage
- License key activation
View full pricing on vulnfeed.novadyne.ai →
Pricing may have changed since last verified. Check the official site for current plans.
Community Performance Report Card
No community ratings yet. Be the first to rate this tool!
Community Benchmarks Community
Sign in to submit a benchmarkNo community benchmarks yet. Be the first to share a real-world data point.
Pros
Sign in to edit- Reads your actual lockfile rather than scanning the full language ecosystem, which means you see only CVEs that affect packages you ship — not hundreds of irrelevant hits from packages you never installed.
- EPSS scoring surfaces CVEs by real-world exploit probability alongside severity, so you patch the vulnerability attackers are using instead of the one with the highest CVSS number that has sat unexercised for three years.
- Returns the exact upgrade version per package rather than stopping at 'you are vulnerable,' which means the fix is actionable inside the same conversation with your AI client.
- Continuous monitoring indexes new CVEs shortly after publication, so a vulnerability disclosed overnight appears in results at your next morning session rather than at your next scheduled scan.
- Flat-rate paid tier is not per-seat or per-repo, which means a team adding a second developer or a third project does not trigger a pricing jump.
Cons
Sign in to edit- The free tier caps at 10 scans per day and one monitored project — a developer running scans across multiple services or triggering scans on file save will exhaust the daily quota before noon, at which point scanning stops until the counter resets.
- VulnFeed identifies vulnerable versions and recommends upgrade targets but provides no code-level remediation: no PR generation, no inline diff, no analysis of whether your specific call path reaches the vulnerable function. Teams that need that layer move to Snyk or Socket, both of which offer it — at significantly higher per-developer cost.
- The tool set covers scanning, CVE lookup, monitoring, and alerts, but there is no policy enforcement layer. Teams that need to fail a build when a CRITICAL CVE with high EPSS is introduced have to wire that logic themselves outside VulnFeed.
Community Reviews
Sign in to write a reviewNo reviews yet. Be the first to share your experience.
About
- Platforms
- Claude Code, Claude Desktop, Cursor, VS Code, Windsurf
- API Available
- Yes
- Self-Hosted
- Yes
- Last Updated
- 2026-06-18T08:10:46.168Z
Best For
Who it's for
- Developers using Claude Code or compatible MCP clients
- Teams needing EPSS-based vulnerability prioritization
- Projects requiring quick fix version recommendations
- Users wanting free tier access with optional paid upgrade
What it does well
- Scanning project dependencies for vulnerabilities during coding sessions
- Prioritizing CVEs by real-world exploit likelihood
- Obtaining exact version fixes for affected packages
- Continuous monitoring of registered projects for new CVEs
Integrations
Discussion Community
Sign in to commentNo discussion yet. Sign in to start the conversation.
Compare VulnFeed
Spotted incorrect or missing data? Join our community of contributors.
Sign Up to ContributeCommunity Notes & Tips Community
Sign in to contributeBe the first to contribute. General notes, observations, gotchas, and tips from people who use this tool day-to-day.
Frequently Asked Questions
- Is VulnFeed free?
- VulnFeed is a paid tool ($14/mo). No permanent free tier is offered.
- Is VulnFeed open source?
- No — VulnFeed is a closed-source tool. Source code is not publicly available.
- Does VulnFeed have an API?
- Yes. VulnFeed exposes a developer API. See the official documentation at https://vulnfeed.novadyne.ai for details.
- Can I self-host VulnFeed?
- Yes. VulnFeed supports self-hosting on your own infrastructure.
- What platforms does VulnFeed support?
- VulnFeed is available on: Claude Code, Claude Desktop, Cursor, VS Code, Windsurf.
Hours Saved & ROI Stories Community
Sign in to contributeBe the first to contribute. Concrete time/cost savings, with context. e.g. "Cut my code review backlog from 4h to 45m per week."
Curated lists that include this category
VulnFeed is an MCP server built by Novadyne that plugs into Claude Code and compatible MCP clients to answer one question your AI assistant cannot answer reliably on its own: which of your specific dependencies are vulnerable right now, and which of those vulnerabilities will actually be exploited? The core workflow is a single tool call — scan_project(“.”) — which reads your package-lock.json, requirements.txt, or go.sum, resolves your actual dependency tree, and returns matched CVEs with severity, EPSS score, and the exact version that closes the hole. Data comes from NVD, GitHub Advisory DB, and EPSS — all public sources — so you are paying for the filtering and intelligence layer, not raw data access.
The differentiating feature is EPSS prioritization. The Exploit Prediction Scoring System assigns each CVE a probability score based on real-world attack patterns. VulnFeed surfaces this score alongside severity, so a MODERATE CVE with a 73% EPSS score ranks above a HIGH CVE with a 0.8% score. Without this, teams triage by CVSS severity alone and spend sprints patching theoretical vulnerabilities while practical ones wait.
The tool fits cleanly into solo developer workflows and small teams who live in an MCP-compatible client and want vulnerability context without leaving their coding environment. The free tier — 10 scans per day, one monitored project, no signup required — covers light usage. The ceiling appears fast on teams running CI-adjacent scans or monitoring more than one repo. VulnFeed does not provide code-level remediation guidance, PR generation, or policy enforcement; teams with those requirements and existing Snyk or Socket contracts will find those platforms cover ground VulnFeed does not reach.
Setup follows a standard MCP config block using uvx — the server runs locally, the vendor states it is compatible with Claude Code, Claude Desktop, Cursor, VS Code, and Windsurf. The paid tier adds unlimited scans and projects via a license key injected as an environment variable. An x402 micropayment path also exists for agent-driven workflows that need per-request billing without a subscription, using USDC on Base via Coinbase’s facilitator.