Start free. Scale when you need to.

Free

For individual researchers

$0forever
  • Search across 90+ sources, 1.5M+ documents
  • 50 API calls/day (10/day anonymous)
  • CVE enrichment: EPSS, KEV, CWE, MITRE ATT&CK
  • MCP integration
  • 1 API key
  • Batch API: 10 CVEs/request, 5 calls/day
Start searching
7-day free trial

Pro

For security engineers and analysts

$29/ month
  • Everything in Free
  • 500 API calls/day
  • Batch API: 100 CVEs/request, 50 calls/day
  • Detection rules via API (Sigma, YARA, Nuclei, Suricata)
  • 1 personal API key
  • Commercial use license
  • Email support

Team

For security teams and MSSPs

$149/ month
  • Everything in Pro
  • 5,000 API calls/day
  • Batch API: 500 CVEs/request, 500 calls/day
  • 5 API keys
  • Priority support
  • Invoice billing

Frequently asked questions

Is the data free to use?+
Yes. The vulnerability data comes from public sources (NVD, CISA KEV, MITRE, ExploitDB, Sigma repos, etc.) and is free to search on cvebase.io. Commercial use may require a Pro license (see above).
Do I need to sign up to search?+
No. Anonymous users get 10 searches per day. Sign in with GitHub or Google to bump that to 50/day.
What does MCP access mean?+
cvebase runs a remote MCP server at https://cvebase.io/mcp — add it to Claude Desktop, Claude Code, or Cursor and your AI assistant can query CVEs, exploits, and detection rules directly. Free for all users.
What enrichment data is included?+
Each CVE ships with the raw signals straight from upstream: EPSS score and percentile (FIRST.org), CISA KEV status with due dates, public exploit availability (ExploitDB, Metasploit, Nuclei), wild-exploitation flags, CWE, and MITRE ATT&CK mappings. We don't invent our own scores — plug the signals into whatever model your team already uses. Included on every tier, including the 50 searches/day Free plan.
Is there a free trial for Pro and Team?+
Yes. Both paid tiers include a 7-day free trial — no charge until it ends, and you can cancel any time from the dashboard.
Can I self-host cvebase?+
Not today. cvebase is managed only — we run the index, the embedding model, and the API for you. Self-hosting would mean shipping the fine-tuned model weights and a multi-million-document Qdrant snapshot, which we're not ready to support yet. If you have a hard on-prem requirement, email [email protected] and tell us about your setup — it helps us prioritize.

Start searching now

1.5M+ security documents across 90+ sources. No account required.

Go to search