VulneraMCP
by telmon95
Overview
An AI-powered platform for automated security testing, vulnerability research, and bug bounty hunting.
Installation
npm startEnvironment Variables
- POSTGRES_HOST
- POSTGRES_PORT
- POSTGRES_DB
- POSTGRES_USER
- POSTGRES_PASSWORD
- REDIS_HOST
- REDIS_PORT
- REDIS_PASSWORD
- ZAP_URL
- ZAP_API_KEY
- CAIDO_MCP_SERVER
- CAIDO_API_TOKEN
- BURP_BRIDGE_PORT
- DASHBOARD_PORT
Security Notes
The server uses `eval()` in `render.execute_js` which allows arbitrary JavaScript execution provided by the user/AI, posing a critical remote code execution risk if the MCP client is compromised or provides untrusted input. Default PostgreSQL passwords like 'bugbounty123' are suggested in setup scripts and `docker-compose.yml`, which is a hardcoded secret vulnerability. ZAP is often configured with `api.disablekey=true` in examples, leaving its API unprotected.
Similar Servers
MCP-Kali-Server
Enabling AI-driven offensive security testing by bridging AI agents to a Kali Linux terminal for command execution.
burp-mcp-agents
Connects Burp Suite MCP Server to AI backends (Codex, Gemini, Ollama, LM Studio) for assisted, non-destructive vulnerability analysis using real Burp traffic.
VibeShift
VibeShift is an intelligent security agent that integrates with AI coding assistants to analyze AI-generated code for vulnerabilities, suggest remediations, and facilitate web test recording, crawling, and execution.
pentestMCP
This MCP server enables AI agents to perform automated and interactive penetration testing tasks by exposing a suite of security assessment utilities as callable tools.