Exceptions via API - 406's

So im fairly new to working with the API and Postman, so lets get that out of the way first :wink:

Im trying to do some testing of pushing exceptions in via the API ( as we have hundreds we want to exclude (dont ask) and im not doing that manually!

But im getting 406’s. Ive checked the headers as referenced in a couple of other posts and they seem ok to me.

Can anybody spot anything obvious in this that could be worng or should I be looking elsewhere ( in postman for example)

curl --location --request POST 'https://insightvm:3780/api/3/vulnerability_exceptions' \

--header 'Content-Type: application/json' \

--header 'Accept: application/json' \

--header 'Authorization: Basic aWFtQVBJOkZHUUNqTzcjM2pRbTFqZ3RaMWpnTw==' \

--header 'Cookie: nexposeCCSessionID=1FDA80410870D907BF87F9337DF67FF9D92884DC' \

--data-raw '       {

       "expires": "2021-09-03T012:00:00.000Z",

            "review": {

                "comment": "Auto approved by submitter.",

                "date": "2020-09-01T13:35:34.124Z",


            "scope": {              

                "type": "Global",

                "vulnerability": "msft-cve-2017-0107"


            "state": "approved",

            "submit": {

                "reason": "Other",



Your headers look to be correct and that is usually the issue, I was looking though old posts and someone said upgrading Postman fixed this for them.


oooh interesting…woth a try. thanks for looking

Well thats 2 days of my life I wont get back. :laughing:

Updated ( it was only a minor version or so out of date)
Still not working , but the 406’s are gone now and been replaced with 400’s…so that’s a definite step in the right direction !

    "status": 400,
    "message": "Request body is missing from the request. A request body is required for this resource.",
    "links": [
            "href": "https://insightvm:3780/api/3/vulnerability_exceptions",
            "rel": "self"

Wow…it’s working!

You Sir, are a scholar and a Gentleman. Thank you.


thank you, but credit goes to @nate.whistler_nate.whistler for discovering this