CVE-2026-47356

Name of the Vulnerable Software and Affected Versions Terrascan versions prior to 1.18.3

Description When running in server mode, the software is susceptible to Server-Side Request Forgery (SSRF), a flaw where an attacker can force the server to make requests to an unintended location. An unauthenticated remote attacker can provide an arbitrary URL through the webhook url multipart form parameter at the "POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan" endpoint. Upon completing a file scan, the server sends an HTTP POST request to the specified URL containing the scan results in a JSON body, including a webhook token as a Bearer token in the Authorization header. This issue affects deployments where the server binds to 0.0.0.0 without authentication.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.