Find vulnerabilities affecting a product by searching the NIST National Vulnerability Database. Pass product (free-text keyword, e.g. "apache log4j", "openssl", "wordpress plugin contact-form-7") or cpe (an exact CPE 2.3 name, e.g. cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*). Returns matching CVEs newest-first, each with its id, description, CVSS base score/severity/vector, and dates. Optional limit (1–50). For "what CVEs affect X" / surveying a product's vulnerability history — distinct from security.cve, which resolves a single CVE id across NVD + CISA KEV + EPSS. Free, keyless.
/api/security/cve-searchPAYMENT-SIGNATURE.The cve search API is a pay-per-call security endpoint built for AI agents and autonomous software. Find vulnerabilities affecting a product by searching the NIST National Vulnerability Database.
There is no signup and no API key. An agent (or any HTTP client) hits the endpoint, receives an x402 "402 Payment Required" challenge, signs a sub-cent USDC payment on Base or Solana, and retries — the data comes back on the paid request. That makes it a drop-in cve search data source for an agent tool-use loop, an MCP host, or a backend that needs security data on demand without onboarding to yet another vendor portal.
| Name | Type | Description |
|---|---|---|
product | string | Free-text product/keyword (e.g. "apache log4j"). min 2 chars · max 200 chars |
cpe | string | Exact CPE 2.3 name (e.g. cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*). min 5 chars · max 300 chars |
limit | integer | Max CVEs to return (1–50, default 20). min 1 · max 50 |
# 1. Probe with no auth → 402 envelope with PaymentRequirements curl -sS 'https://2s.io/api/security/cve-search?product=xx&cpe=xxxxx&limit=1' # 2. Sign + retry with PAYMENT-SIGNATURE: curl -sS 'https://2s.io/api/security/cve-search?product=xx&cpe=xxxxx&limit=1' \ -H 'PAYMENT-SIGNATURE: <base64-json-payload>' # Or use the canonical runner (handles probe → sign → retry): # EVM_PRIVATE_KEY=0x... node --env-file=.env.local \ # --experimental-strip-types scripts/x402-pay.ts \ # 'https://2s.io/api/security/cve-search?product=xx&cpe=xxxxx&limit=1'
import { TwoS } from '@2sio/sdk'
const client = new TwoS({
privateKey: process.env.EVM_PRIVATE_KEY as `0x${string}`,
})
const result = await client.security.cveSearch({
"product": "xx",
"cpe": "xxxxx",
"limit": 1
})
console.log('endpoint:', result.endpoint)
console.log('cost:', result.costUsd, 'USDC')
console.log('tx:', result.settlement?.txHash)
console.log('data:', result.data)import os
from twosio import TwoS
client = TwoS(private_key=os.environ["EVM_PRIVATE_KEY"])
result = client.security.cve_search(product="xx", cpe="xxxxx", limit=1)
print("endpoint:", result.endpoint)
print("cost:", result.cost_usd, "USDC")
print("tx:", (result.settlement or {}).get("tx_hash"))
print("data:", result.data)// 1. Add @2sio/mcp to your MCP host config (Claude Desktop example below).
// EVM_PRIVATE_KEY funds x402 payments per call.
// claude_desktop_config.json
{
"mcpServers": {
"2sio": {
"command": "npx",
"args": ["-y", "@2sio/mcp"],
"env": { "EVM_PRIVATE_KEY": "0x..." }
}
}
}
// 2. Once the server is running, agents call this tool via standard MCP:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "security.cve-search",
"arguments": {
"product": "xx",
"cpe": "xxxxx",
"limit": 1
}
}
}| Field | Type | Description |
|---|---|---|
ok | boolean | one of: true |
items | array | |
total | integer | Total matching rows upstream; null when unknown. |
source | object | |
meta | object |
{
"ok": true,
"items": [
{
"id": "example",
"description": "example",
"cvss": {},
"published": "example",
"lastModified": "example"
}
],
"total": 1,
"source": {
"provider": "example",
"url": "example",
"license": "example"
},
"meta": {
"total": 1,
"query": "example"
}
}