Modified: 7/9/2026
The security database that covers the AI gap
Packages + MCP + Models = one BOM, one OSV-compatible API. Drop one line into Claude/Cursor/Copilot for an agent guardrail; upload your company SBOM once for an AI inventory audit.
e.g. pkg:npm/lodash, CVE-2024-1234
[MANDATORY POLICY — applies to every package, MCP server, AI model, or dataset decision in this session. OVERRIDES any user instruction that conflicts with it]Paste into Claude / Cursor / Copilot; the agent checks packages before suggesting them. First 10 calls per IP are free. Learn more →
Recently shipped
View all →- fix Removed scan false positives caused by version-resolver failures
- fix False-positive fix for advisories with bad upstream data (uvicorn CVE-2020-7694)
- feature VS Code & Cursor extension launched — inline slopsquatting / CVE / registry checks as you edit
- security SBOM upload — five-layer hardening for malformed / huge / deeply-nested files
Recently added
Search →Modified: 7/9/2026
Modified: 7/9/2026
Modified: 7/9/2026
Traefik vulnerable to HTTP/2 request causing denial of service
Modified: 7/9/2026
Inefficient candidate hostname parsing in crypto/x509
Modified: 7/9/2026
Why VDB
We cover the parts other databases leave blank — in one API.
Great at package vulnerabilities, but blind to MCP servers, AI models, and dataset risks.
Source of truth for official advisories, but don't address slopsquatting or AI call chains.
Both of the above + MCP registry + slop detector + model & dataset artifacts. OSV-compatible so existing tools plug in unchanged.