> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get vulnerability

> Returns detailed vulnerability context, with optional includes for locations, advisories, secrets, call hierarchies, impacts, and source snippets. Snippets are only returned when explicitly requested via include=snippet.



## OpenAPI

````yaml https://app.cysmiq.com/docs/tenant/openapi.json get /{tenant_slug}/vulnerabilities/{vulnerability}
openapi: 3.1.0
info:
  title: Cysmiq
  version: v1
  description: Tenant API
servers:
  - url: https://app.cysmiq.com/api/v1
    description: Production
security:
  - bearerAuth: []
tags:
  - name: Token
    description: Token introspection and authentication context.
  - name: Organizations
    description: Read-only organizational unit (org) data.
  - name: Repositories
    description: Read-only repository data.
  - name: Applications
    description: Read-only application data.
  - name: Scans
    description: Read-only scan status data for CI integrations.
  - name: Vulnerabilities
    description: Read-only vulnerability data for CI and reporting.
  - name: Policy Violations
    description: Read-only policy violation data for CI and reporting.
paths:
  /{tenant_slug}/vulnerabilities/{vulnerability}:
    get:
      tags:
        - Vulnerabilities
      summary: Get vulnerability
      description: >-
        Returns detailed vulnerability context, with optional includes for
        locations, advisories, secrets, call hierarchies, impacts, and source
        snippets. Snippets are only returned when explicitly requested via
        include=snippet.
      operationId: getVulnerability
      parameters:
        - name: include
          in: query
          schema:
            type:
              - string
              - 'null'
            maxLength: 255
        - name: fields
          in: query
          schema:
            type:
              - string
              - 'null'
            maxLength: 500
        - name: locations_limit
          in: query
          schema:
            type:
              - integer
              - 'null'
            minimum: 1
            maximum: 200
        - name: locations_scope
          in: query
          schema:
            type:
              - string
              - 'null'
            enum:
              - live
              - all
        - name: tenant_slug
          in: path
          required: true
          description: Workspace slug for the tenant context.
          schema: {}
          example: acme
        - name: vulnerability
          in: path
          required: true
          description: Vulnerability prefixed id (vc_...).
          schema:
            type: string
          example: vc_01hxyz
      responses:
        '200':
          description: Vulnerability detail response.
          content:
            application/json:
              schema:
                type: object
                required:
                  - vulnerability
                  - repository
                  - lifecycle
                  - locations
                  - details
                properties:
                  vulnerability:
                    description: >-
                      Vulnerability detail. The set of present fields depends on
                      the requested `fields` projection (default returns the
                      full set below).
                    type: object
                    additionalProperties: true
                    properties:
                      id:
                        type: string
                      title:
                        type: string
                      severity:
                        type: string
                      type:
                        type: string
                      status:
                        type: string
                      resolution:
                        type:
                          - string
                          - 'null'
                      state:
                        type: string
                      status_version:
                        type: string
                      confirmed:
                        type: boolean
                      triaged:
                        type: boolean
                      snoozed:
                        type: boolean
                      snoozed_until:
                        type:
                          - string
                          - 'null'
                      snooze_count:
                        type: integer
                      assignee:
                        type:
                          - object
                          - 'null'
                        additionalProperties: true
                        properties:
                          id:
                            type: string
                          display_name:
                            type:
                              - string
                              - 'null'
                          email:
                            type:
                              - string
                              - 'null'
                      introduced_at:
                        type:
                          - string
                          - 'null'
                      vulnerable_at:
                        type:
                          - string
                          - 'null'
                      exploitable_at:
                        type:
                          - string
                          - 'null'
                      human_escalation_required_at:
                        type:
                          - string
                          - 'null'
                      fixed_at:
                        type:
                          - string
                          - 'null'
                      resolved_at:
                        type:
                          - string
                          - 'null'
                      created_at:
                        type:
                          - string
                          - 'null'
                      updated_at:
                        type:
                          - string
                          - 'null'
                      cwes:
                        type: array
                        items:
                          type: object
                          additionalProperties: true
                          properties:
                            id:
                              type: string
                            cwe_id:
                              type: string
                            name:
                              type: string
                  repository:
                    type:
                      - object
                      - 'null'
                    additionalProperties: true
                    properties:
                      id:
                        type: string
                      name:
                        type: string
                      full_name:
                        type:
                          - string
                          - 'null'
                  lifecycle:
                    type:
                      - object
                      - 'null'
                    additionalProperties: true
                    properties:
                      first_seen_scan:
                        type:
                          - object
                          - 'null'
                        additionalProperties: true
                      fixed_scan:
                        type:
                          - object
                          - 'null'
                        additionalProperties: true
                  locations:
                    description: >-
                      Always includes `display` + `summary`.
                      `items`/`limit`/`truncated` are only present when the
                      request was made with `include=locations`.
                    type: object
                    additionalProperties: true
                    required:
                      - display
                      - summary
                    properties:
                      display:
                        type:
                          - object
                          - 'null'
                        additionalProperties: true
                        properties:
                          id:
                            type: string
                          path:
                            type: string
                          line:
                            type:
                              - integer
                              - 'null'
                          fixed_at:
                            type:
                              - string
                              - 'null'
                          vulnerable_at:
                            type:
                              - string
                              - 'null'
                          exploitable_at:
                            type:
                              - string
                              - 'null'
                          is_vulnerable:
                            type: boolean
                          is_exploitable:
                            type: boolean
                          reference:
                            type:
                              - object
                              - 'null'
                            additionalProperties: true
                          artifact:
                            type:
                              - object
                              - 'null'
                            additionalProperties: true
                      summary:
                        type: object
                        additionalProperties: true
                      items:
                        type: array
                        items:
                          type: object
                          additionalProperties: true
                      limit:
                        type: integer
                      truncated:
                        type: boolean
                  details:
                    description: >-
                      Type-discriminated detail block. Concrete fields depend on
                      `vulnerability.type` (dependency vs secret vs code). Call
                      hierarchy details include metadata, data-flow references,
                      and analysis only; source snippets are not returned.
                    type: object
                    additionalProperties: true
                    required:
                      - type
                    properties:
                      type:
                        type: string
                      call_hierarchies:
                        description: >-
                          Present for code vulnerabilities when requested with
                          `include=call_hierarchies`. This does not include
                          source snippets.
                        type: array
                        items:
                          type: object
                          additionalProperties: true
                          properties:
                            id:
                              type: string
                            label:
                              type: string
                            location:
                              type:
                                - object
                                - 'null'
                              additionalProperties: true
                              properties:
                                id:
                                  type: string
                                path:
                                  type: string
                                line:
                                  type:
                                    - integer
                                    - 'null'
                            is_stub:
                              type: boolean
                            is_exploitable:
                              type: boolean
                            exploitable_at:
                              type:
                                - string
                                - 'null'
                            data_flow:
                              type: array
                              items:
                                type: object
                                additionalProperties: true
                                properties:
                                  path:
                                    type:
                                      - string
                                      - 'null'
                                  line:
                                    type:
                                      - integer
                                      - 'null'
                                  description:
                                    type:
                                      - string
                                      - 'null'
                            analysis:
                              type: object
                              additionalProperties: true
              example:
                vulnerability:
                  id: vc_01hxyz
                  title: Prototype Pollution in lodash
                  severity: high
                  type: dependency
                  status: open
                  resolution: null
                  confirmed: true
                  triaged: false
                  introduced_at: '2026-01-10T09:14:00Z'
                  vulnerable_at: '2026-01-10T09:14:00Z'
                  exploitable_at: null
                  human_escalation_required_at: null
                  fixed_at: null
                  resolved_at: null
                  created_at: '2026-01-10T09:14:00Z'
                  updated_at: '2026-01-12T11:02:00Z'
                  cwes:
                    - id: cwe_79
                      cwe_id: CWE-79
                      name: Cross-site Scripting
                repository:
                  id: repo_01hxyz
                  name: widgets
                  full_name: acme/widgets
                lifecycle:
                  first_seen_scan:
                    id: scan_01hxyz
                    status: completed
                    ref: main
                    sha: a1b2c3d4
                    finished_at: '2026-01-14T17:45:00Z'
                    started_at: '2026-01-14T17:40:00Z'
                  fixed_scan: null
                locations:
                  display:
                    id: loc_01hxyz
                    path: package-lock.json
                    line: 142
                    fixed_at: null
                    vulnerable_at: '2026-01-10T09:14:00Z'
                    exploitable_at: null
                    is_vulnerable: true
                    is_exploitable: false
                    reference:
                      id: ref_01hxyz
                      ref: main
                      sha: a1b2c3d4
                      type: branch
                    artifact:
                      id: dep_01hxyz
                      type: dependency
                  summary:
                    total: 1
                    active: 1
                    fixed: 0
                    has_exploitable: false
                details:
                  type: dependency
                  package:
                    id: pkg_01hxyz
                    purl: pkg:npm/lodash@4.17.20
                    type: npm
                    namespace: null
                    name: lodash
                    version: 4.17.20
                    repository_url: https://github.com/lodash/lodash
                  identifiers:
                    ghsa: GHSA-xxxx-xxxx-xxxx
                    cve: CVE-2021-0000
        '401':
          $ref: '#/components/responses/UnauthorizedError'
        '403':
          $ref: '#/components/responses/ForbiddenError'
        '404':
          $ref: '#/components/responses/NotFoundError'
        '422':
          $ref: '#/components/responses/ValidationFailedError'
        '429':
          $ref: '#/components/responses/RateLimitedError'
        '500':
          $ref: '#/components/responses/InternalError'
        '503':
          $ref: '#/components/responses/ServiceUnavailableError'
components:
  responses:
    UnauthorizedError:
      description: Authentication is required or the token is invalid.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiError'
          examples:
            authenticationRequired:
              value:
                code: AUTHENTICATION_REQUIRED
                message: Unauthenticated.
    ForbiddenError:
      description: The token is authenticated but not permitted for this tenant or action.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiError'
          examples:
            tokenInvalidForTenant:
              value:
                code: TOKEN_INVALID_FOR_TENANT
                message: Token not valid for this tenant.
            tokenAbilityDenied:
              value:
                code: TOKEN_ABILITY_DENIED
                message: Forbidden.
    NotFoundError:
      description: The workspace or requested resource was not found.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiError'
          examples:
            tenantNotFound:
              value:
                code: TENANT_NOT_FOUND
                message: Workspace not found
            resourceNotFound:
              value:
                code: RESOURCE_NOT_FOUND
                message: Not found.
    ValidationFailedError:
      description: >-
        The request could not be processed because validation failed or filter
        values were unsupported.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiError'
          examples:
            validationFailed:
              value:
                code: VALIDATION_FAILED
                message: The given data was invalid.
                details:
                  errors:
                    severity:
                      - The selected severity is invalid.
            invalidFilterValue:
              value:
                code: INVALID_FILTER_VALUE
                message: 'Invalid filter value(s): critical'
                details:
                  invalid_values:
                    - critical
    RateLimitedError:
      description: The request exceeded the tenant API rate limit.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiError'
          examples:
            rateLimited:
              value:
                code: RATE_LIMITED
                message: Too Many Attempts.
    InternalError:
      description: The server encountered an unexpected error.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiError'
          examples:
            internalError:
              value:
                code: INTERNAL_ERROR
                message: Internal server error
    ServiceUnavailableError:
      description: The workspace or service is temporarily unavailable.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiError'
          examples:
            serviceUnavailable:
              value:
                code: SERVICE_UNAVAILABLE
                message: Service Unavailable
  schemas:
    ApiError:
      type: object
      required:
        - code
        - message
      properties:
        code:
          type: string
          description: Machine-readable error code.
        message:
          type: string
          description: Human-readable error message.
        details:
          type: object
          description: Optional structured error details.
          additionalProperties: true
  securitySchemes:
    bearerAuth:
      type: http
      description: 'Use a Cysmiq API token in the Authorization header: Bearer {token}.'
      scheme: bearer
      bearerFormat: Token

````