Skip to main content
GET
/
{tenant_slug}
/
vulnerabilities
/
{vulnerability}
Get vulnerability
curl --request GET \
  --url https://app.cysmiq.com/api/v1/{tenant_slug}/vulnerabilities/{vulnerability} \
  --header 'Authorization: Bearer <token>'
import requests

url = "https://app.cysmiq.com/api/v1/{tenant_slug}/vulnerabilities/{vulnerability}"

headers = {"Authorization": "Bearer <token>"}

response = requests.get(url, headers=headers)

print(response.text)
const options = {method: 'GET', headers: {Authorization: 'Bearer <token>'}};

fetch('https://app.cysmiq.com/api/v1/{tenant_slug}/vulnerabilities/{vulnerability}', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));
{
  "vulnerability": {
    "id": "vc_01hxyz",
    "title": "Prototype Pollution in lodash",
    "severity": "high",
    "type": "dependency",
    "status": "open",
    "resolution": null,
    "confirmed": true,
    "triaged": false,
    "introduced_at": "2026-01-10T09:14:00Z",
    "vulnerable_at": "2026-01-10T09:14:00Z",
    "exploitable_at": null,
    "human_escalation_required_at": null,
    "fixed_at": null,
    "resolved_at": null,
    "created_at": "2026-01-10T09:14:00Z",
    "updated_at": "2026-01-12T11:02:00Z",
    "cwes": [
      {
        "id": "cwe_79",
        "cwe_id": "CWE-79",
        "name": "Cross-site Scripting"
      }
    ]
  },
  "repository": {
    "id": "repo_01hxyz",
    "name": "widgets",
    "full_name": "acme/widgets"
  },
  "lifecycle": {
    "first_seen_scan": {
      "id": "scan_01hxyz",
      "status": "completed",
      "ref": "main",
      "sha": "a1b2c3d4",
      "finished_at": "2026-01-14T17:45:00Z",
      "started_at": "2026-01-14T17:40:00Z"
    },
    "fixed_scan": null
  },
  "locations": {
    "display": {
      "id": "loc_01hxyz",
      "path": "package-lock.json",
      "line": 142,
      "fixed_at": null,
      "vulnerable_at": "2026-01-10T09:14:00Z",
      "exploitable_at": null,
      "is_vulnerable": true,
      "is_exploitable": false,
      "reference": {
        "id": "ref_01hxyz",
        "ref": "main",
        "sha": "a1b2c3d4",
        "type": "branch"
      },
      "artifact": {
        "id": "dep_01hxyz",
        "type": "dependency"
      }
    },
    "summary": {
      "total": 1,
      "active": 1,
      "fixed": 0,
      "has_exploitable": false
    }
  },
  "details": {
    "type": "dependency",
    "package": {
      "id": "pkg_01hxyz",
      "purl": "pkg:npm/lodash@4.17.20",
      "type": "npm",
      "namespace": null,
      "name": "lodash",
      "version": "4.17.20",
      "repository_url": "https://github.com/lodash/lodash"
    },
    "identifiers": {
      "ghsa": "GHSA-xxxx-xxxx-xxxx",
      "cve": "CVE-2021-0000"
    }
  }
}

Authorizations

Authorization
string
header
required

Use a Cysmiq API token in the Authorization header: Bearer {token}.

Path Parameters

vulnerability
string
required

Vulnerability prefixed id (vc_...).

Query Parameters

include
string | null
Maximum string length: 255
fields
string | null
Maximum string length: 500
locations_limit
integer | null
Required range: 1 <= x <= 200
locations_scope
enum<string> | null
Available options:
live,
all

Response

Vulnerability detail response.

vulnerability
object
required

Vulnerability detail. The set of present fields depends on the requested fields projection (default returns the full set below).

repository
object | null
required
lifecycle
object | null
required
locations
object
required

Always includes display + summary. items/limit/truncated are only present when the request was made with include=locations.

details
object
required

Type-discriminated detail block. Concrete fields depend on vulnerability.type (dependency vs secret vs code). Call hierarchy details include metadata, data-flow references, and analysis only; source snippets are not returned.