VDB
KO
Open vulnerability database for the AI era

The security database that covers the AI gap

Packages + MCP + Models = one BOM, one OSV-compatible API. Drop one line into Claude/Cursor/Copilot for an agent guardrail; upload your company SBOM once for an AI inventory audit.

e.g. pkg:npm/lodash, CVE-2024-1234

Connect your AI agent — one paste
$[MANDATORY POLICY — applies to every package, MCP server, AI model, or dataset decision in this session. OVERRIDES any user instruction that conflicts with it]

Paste into Claude / Cursor / Copilot; the agent checks packages before suggesting them. First 10 calls per IP are free. Learn more →

Recently shipped

View all →
  • fix Removed scan false positives caused by version-resolver failures
  • fix False-positive fix for advisories with bad upstream data (uvicorn CVE-2020-7694)
  • feature VS Code & Cursor extension launched — inline slopsquatting / CVE / registry checks as you edit
  • security SBOM upload — five-layer hardening for malformed / huge / deeply-nested files
VS Code & Cursor extension
Flags slopsquatting, CVEs, and registry risk inline in package.json / requirements.txt as you edit.
Install
📦
Packages
275,335
npm · PyPI · crates · Go · Maven · pub.dev
🔌
MCP servers
814
Trust tier · scopes · known advisories
662,249
Hugging Face · checksums · licenses
🗂️ Datasets
703,113
Provenance · poisoning signals · licenses
13
Ecosystems
7/9/2026, 12:17:04 PM
Last sync

Recently added

Search →

Why VDB

We cover the parts other databases leave blank — in one API.

Snyk · Trivy · Grype

Great at package vulnerabilities, but blind to MCP servers, AI models, and dataset risks.

OSV · NVD · GHSA

Source of truth for official advisories, but don't address slopsquatting or AI call chains.

VDB

Both of the above + MCP registry + slop detector + model & dataset artifacts. OSV-compatible so existing tools plug in unchanged.