Vulnerabilities
API endpoints for managing vulnerability findings
Vulnerabilities API
Retrieve and manage vulnerability findings from your scans.
List Vulnerabilities
GET /vulnerabilitiesRetrieve vulnerabilities across your applications.
Query Parameters
| Parameter | Type | Description |
|---|---|---|
application_id | string | Filter by application |
scan_id | string | Filter by scan |
severity | string | critical, high, medium, low, info |
status | string | open, in_progress, fixed, accepted, false_positive |
category | string | OWASP category (e.g., injection, broken_auth) |
page | integer | Page number |
per_page | integer | Items per page |
Response
{
"data": [
{
"id": "vuln_001",
"title": "SQL Injection",
"severity": "critical",
"status": "open",
"category": "injection",
"cwe": "CWE-89",
"cvss": 9.8,
"application_id": "app_abc123",
"application_name": "Production App",
"scan_id": "scan_xyz789",
"location": {
"url": "https://app.example.com/api/users",
"parameter": "id",
"method": "GET"
},
"discovered_at": "2025-01-15T10:30:00Z"
}
],
"meta": {
"total": 30,
"page": 1,
"per_page": 20
}
}Example
curl -X GET "https://api.modernpentest.com/v1/vulnerabilities?severity=critical&status=open" \
-H "Authorization: Bearer YOUR_API_KEY"Get Vulnerability
GET /vulnerabilities/{id}Get detailed information about a specific vulnerability.
Response
{
"id": "vuln_001",
"title": "SQL Injection",
"severity": "critical",
"status": "open",
"category": "injection",
"cwe": "CWE-89",
"cvss": 9.8,
"application_id": "app_abc123",
"application_name": "Production App",
"scan_id": "scan_xyz789",
"location": {
"url": "https://app.example.com/api/users",
"parameter": "id",
"method": "GET"
},
"description": "The 'id' parameter in the /api/users endpoint is vulnerable to SQL injection. An attacker can manipulate database queries to access or modify data.",
"evidence": {
"request": {
"method": "GET",
"url": "https://app.example.com/api/users?id=1'",
"headers": {
"Authorization": "Bearer [REDACTED]"
}
},
"response": {
"status": 500,
"body": "SQL syntax error near '''...",
"headers": {}
}
},
"impact": "An attacker could read, modify, or delete database records. This could lead to complete data breach, data manipulation, or denial of service.",
"remediation": {
"summary": "Use parameterized queries or prepared statements",
"steps": [
"Replace string concatenation with parameterized queries",
"Use your ORM's built-in query builder",
"Add input validation as defense-in-depth"
],
"code_example": {
"vulnerable": "const query = `SELECT * FROM users WHERE id = ${req.params.id}`;",
"fixed": "const query = 'SELECT * FROM users WHERE id = $1'; const params = [req.params.id];"
},
"references": [
"https://owasp.org/Top10/A03_2021-Injection/",
"https://cwe.mitre.org/data/definitions/89.html"
]
},
"risk_assessment": {
"exploitability": "high",
"impact": "critical",
"confidence": "confirmed"
},
"discovered_at": "2025-01-15T10:30:00Z",
"last_seen_at": "2025-01-15T10:30:00Z",
"assigned_to": null,
"notes": []
}Update Vulnerability
PATCH /vulnerabilities/{id}Update the status or other details of a vulnerability.
Request Body
{
"status": "fixed",
"notes": "Fixed in commit abc123, deployed to production"
}Allowed Updates
| Field | Type | Description |
|---|---|---|
status | string | open, in_progress, fixed, accepted, false_positive |
assigned_to | string | User ID to assign |
notes | string | Add a note about the finding |
priority | string | Override priority: p1, p2, p3 |
Response
Returns the updated vulnerability object.
Example
curl -X PATCH https://api.modernpentest.com/v1/vulnerabilities/vuln_001 \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"status": "fixed",
"notes": "Fixed via parameterized queries in PR #456"
}'Vulnerability Statistics
GET /vulnerabilities/statsGet aggregated vulnerability statistics.
Query Parameters
| Parameter | Type | Description |
|---|---|---|
application_id | string | Filter by application |
date_from | string | Start date (ISO 8601) |
date_to | string | End date (ISO 8601) |
Response
{
"total": 45,
"by_severity": {
"critical": 2,
"high": 8,
"medium": 15,
"low": 12,
"info": 8
},
"by_status": {
"open": 10,
"in_progress": 5,
"fixed": 25,
"accepted": 3,
"false_positive": 2
},
"by_category": {
"injection": 8,
"broken_auth": 5,
"broken_access_control": 12,
"security_misconfiguration": 10,
"other": 10
},
"trend": {
"new_this_period": 15,
"fixed_this_period": 20,
"change": -5
}
}Webhook Events
Vulnerabilities trigger the following webhook events:
| Event | Description |
|---|---|
vulnerability.found | New vulnerability discovered |
vulnerability.updated | Status or details changed |
vulnerability.fixed | Marked as fixed |
See Webhooks for configuration.
Last updated: December 8, 2025