CVE-2026-47358

Name of the Vulnerable Software and Affected Versions Terrascan versions prior to 1.18.4

Description Terrascan is susceptible to Server-Side Request Forgery (SSRF) when operating in server mode. The issue occurs during the parsing of uploaded Infrastructure as Code (IaC) templates, specifically ARM or CloudFormation templates, where external URLs are resolved using the hashicorp/go-getter library with the FileDetector enabled. An unauthenticated remote attacker can upload templates containing a templateLink.uri or parametersLink.uri field in ARM templates, or an AWS::CloudFormation::Stack TemplateURL field in CloudFormation templates, pointing to a malicious URL. This allows the server to fetch the attacker-controlled URL and enables local file read via file:// URLs without requiring redirects. This affects deployments where the server binds to 0.0.0.0 without authentication.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.