Building fast, sleeping worried.
Shipping a SaaS with an AI IDE. No dedicated security hire. Needs production-grade defaults without becoming a part-time AppSec team.
Free & Open Source
Your AI coding tool writes fast. It also writes vulnerabilities.
Aigent.ly is a free, open-source MCP server that injects live CVE-backed guardrails into Claude Code, Cline, Cursor, GitHub Copilot, and Windsurf — so your AI enforces this week's security rules, not last year's training data.
see it in action
click to play · real 2026 cves · before / after plan comparison
MVP
Pick your stack
7 launch stacks with certified rules and verified CVE linkage — browse posture and rules for each.
Who this is for
Four real stories
If one of these sounds like your team, you are the audience for a rules-first security layer on top of AI IDEs.
The model looks right.
Ships features quickly with agent assistance. Wants guardrails that catch the subtle foot-guns that static vibes miss.
Standardizing AI-assisted PRs.
Onboarding a team onto an AI IDE. Needs one ruleset baseline so AI-generated diffs meet the same bar as hand-written code.
Audit season after AI acceleration.
Product shipped fast with agent help. Now facing pen test or SOC 2. Needs to map exposure and close gaps with evidence, not vibes.
Ready to try it? Browse rules or pick a stack.
The job to be done
Under one minute
Five steps from stack to live guardrails — each links where it helps.
- 01Add the MCP server to your IDE
One npx line in your IDE's MCP config. Claude Code, Cline, Cursor, GitHub Copilot, and Windsurf all supported. No API key required.
- 02Try the Rule Composer
Pick your stack and IDE — the Composer generates a ready-to-paste guardrail file in under a minute. Copy it into your project.
- 03Browse the threat feed
100+ CVEs tracked across 12 launch stacks, updated daily from NVD, GHSA, CISA KEV, OSV, npm Audit, and EPSS. Each CVE links to its advisory.
- 04Contribute a stack
Open-source pipeline. Add a stack to the registry, submit CVE pattern improvements, or propose new rules — the catalog is community-driven.
Free MCP Server
Inject live security rules into any AI IDE.
One config line. No API key. No database. The MCP server reads the open-source catalog — updated daily from six public CVE sources — and delivers the right guardrails automatically as you code.
mcp.json
{
"mcpServers": {
"aigently": {
"command": "npx",
"args": ["-y", "@aigently/mcp-server"],
"env": { "AIGENTLY_TARGET_IDE": "cursor" }
}
}
}Change AIGENTLY_TARGET_IDE to: Claude Code · Cline · Cursor · GitHub Copilot · Windsurf
Zero-latency — reads local JSON, no network call at runtime
Daily CVE updates committed automatically by the pipeline
Community-grown — open stack registry, open rule pipeline
No telemetry, no API key, no account required
299Verified threats (launch stacks)
Distinct CVE-level rows linked to MVP launch stacks in Postgres.
12Launch stacks covered
Next.js, Express, FastAPI, NestJS, Nuxt, React SPA, Django, Rails, Go, iOS, Android, and AI/LLM Apps.
6Threat intelligence sources
NVD, GHSA, CISA KEV, OSV, npm Audit, and EPSS — all public, no login required.
$0Free & Apache-2.0
MCP server, catalog data, and pipeline are fully open source.
LIVE THREAT INTELLIGENCE
Top critical threats — this week
Real CVEs from NVD, GHSA, and OSV — verified and linked to your stack.
highOSV
CVE-2026-34077Jun 2026
React Router vulnerable to Denial of Service via reflected user input in single-fetch
React SPA
highOSV
highOSV
CVE-2026-42342Jun 2026
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
React SPA
highOSV
CVE-2026-42211Jun 2026
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
React SPA
highOSV
CVE-2026-33245Jun 2026
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
React SPA
highOSV
CVE-2026-44494May 2026
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
React SPA
highOSV
CVE-2026-45134May 2026
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
AI / LLM Apps
highOSV
CVE-2026-45109May 2026
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
Next.js
highOSV
CVE-2026-44579May 2026
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
Next.js
highOSV
CVE-2026-44575May 2026
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
Next.js
Why it matters
Three differences vs. raw AI IDEs
01
Free MCP server
One config line in your IDE. The MCP server auto-detects your stack and injects the right CVE rules into every generation — zero ongoing setup.
Explore02
Live CVE threat feed
LLM training is frozen in time. Aigent.ly pulls daily from NVD, GHSA, CISA KEV, OSV, npm Audit, and EPSS — so your guardrails reflect what's actively exploited right now.
Explore03
Community-powered catalog
Open-source data, open-source pipeline. Contributors add stacks, sharpen CVE patterns, and propose new guardrail rules — the catalog grows with the community.
ExploreFree & instant
Build your agent's guardrails in seconds.
Pick your stack and IDE — the Composer merges all CVE-backed rules into a single ready-to-paste file. No sign-up, no API key, no cost.
CLAUDE.md
# Aigent.ly guardrails — Next.js · Claude Code
# patterns + deps — auto-generated, do not edit manually
## Authentication & Session
WHEN generating login/register handlers
THEN always hash passwords with bcrypt (min 12 rounds).
If not possible, STOP and explain.
## Dependency Advisories
⚠ CVE-2026-45109 (HIGH) next@<15.3.3
Middleware/proxy bypass via segment-prefetch.
ACTION: upgrade to next ≥ 15.3.3 before shipping.
## Input Validation
WHEN accepting user input in API routes
THEN validate and sanitize with zod before use.