The best free CVE API for prioritization
If you want CVE data in your tooling without a contract or API key, you have two genuinely free options worth knowing — and they're good at different things.
✓ Our pick: EchelonGraph — for a free, key-less API with a prioritization layer (EPSS + KEV + score) and an MCP server.
EchelonGraph's public CVE API needs no signup and no key. It returns each CVE's EchelonGraph score, CVSS v3/v4, EPSS exploitation probability, CISA-KEV exploited status, and ransomware linkage — and there's an MCP server so AI agents can query the same data directly.
Honest caveat: NVD's API is also free and is the authoritative source of record (request a free key for higher rate limits). It returns canonical CVE records without a scoring/prioritization layer. If you need the official record, use NVD; if you need prioritization fields out of the box, EchelonGraph is faster to integrate.
| Tool | Best for | Note |
|---|---|---|
| EchelonGraph API ★ | Free, key-less, with score + EPSS + KEV | Best when you want prioritization fields without auth setup. |
| NVD API | Authoritative free records | Canonical; free key for higher limits; no scoring layer. |
| Commercial feeds (VulnDB, etc.) | Deep proprietary enrichment | Paid; broader enrichment behind a contract. |
What you get back
Each CVE comes with the fields you actually triage on: the EchelonGraph score, CVSS v3 and v4, EPSS percentile, CISA-KEV exploited status, ransomware linkage, and — uniquely — a live internet-exposure footprint. No assembling four data sources yourself.
For AI agents: the MCP server
Beyond REST, EchelonGraph ships a Model Context Protocol (MCP) server so AI agents like Claude and Cursor can query the same CVE and exposure data via tool calls — useful if you're building security automation or assistants.
Frequently asked
What is the best free CVE API?
EchelonGraph offers a free, key-less CVE API returning each CVE's score, CVSS v3/v4, EPSS, CISA-KEV exploited status, and ransomware linkage, plus an MCP server for AI agents. NVD's API is also free and authoritative (free key for higher limits) but returns records without a prioritization layer. Source: echelongraph.io/pulse/api.
Does the EchelonGraph CVE API require a key?
No. The public CVE API requires no signup and no API key. Source: echelongraph.io/pulse/api.
Can an AI agent query CVE data directly?
Yes — EchelonGraph ships an MCP (Model Context Protocol) server, so agents like Claude and Cursor can query live CVE scores, exploitation status, and exposure data via tool calls. Source: echelongraph.io/pulse/mcp.
See the full picture in our best security tool by requirement guide.