So you can’t actually run a report on vulnerabilities that are excepted because once the exception is put in place it effectively removes those entries from the database or “hides” them to where you can’t report on them.
To get a CSV of ALL the vulnerabilities currently in your environment (exceptions applied) you can just use the “Basic Vulnerabilities Check” report.
Caveat to this is that you could use a script to essentially copy the contents of all the exceptions through the API, delete the exceptions and then resubmit them (WITHOUT APPROVING THEM) and that adds a value to one of the tables to show that the vulnerability has a pending exception for it. With this you could write a SQL report to specifically target those vulnerabilities with a pending exception if that’s all you’re trying to report on.
note: make sure you approve those exceptions after the report runs