{"id":"prod_02S8cxZHdXV8zT_lFRq25","name":"Application Security","slug":"application-security","orgId":"org_fW6EY8PY8Cr42ifo1IUAm","url":null,"description":null,"category":"infrastructure","kind":"platform","avatarUrl":null,"createdAt":"2026-06-19T21:03:32.320Z","embeddedAt":"2026-06-19T21:03:34.273Z","deletedAt":null,"sources":[{"id":"src_qqhTsbg70x4e1IMbX1Dbx","slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed","url":"https://developers.cloudflare.com/changelog/?area=application-security","metadata":"{\"feedUrl\":\"https://developers.cloudflare.com/changelog/rss/application-security.xml\",\"feedType\":\"unknown\",\"feedDiscoveredAt\":\"2026-06-19T21:04:41.921Z\",\"noFeedFound\":false,\"feedContentDepth\":\"full\",\"feedEtag\":\"\\\"1177ce943c953bb45fef0df3fa282e74\\\"\",\"feedContentLength\":\"439189\",\"enrichment\":{\"consecutiveFailures\":0}}","kind":null}],"tags":[],"aliases":[],"notice":null,"releases":[{"id":"rel_z8usPQvSicyDCo_qsZLcu","version":null,"type":"feature","title":"WAF - WAF Release - Scheduled changes for 2026-06-22","summary":"Announcement Date\n\nRelease Date\n\nRelease Behavior\n\nLegacy Rule ID\n\nRule ID\n\nDescription\n\nComments\n\n2026-06-15\n\n2026-06-22\n\nLog\n\nN/A\n\n500a90789f874345b...","titleGenerated":null,"titleShort":null,"content":"Announcement Date\n\nRelease Date\n\nRelease Behavior\n\nLegacy Rule ID\n\nRule ID\n\nDescription\n\nComments\n\n2026-06-15\n\n2026-06-22\n\nLog\n\nN/A\n\n500a90789f874345b60b0de7242fdf83\n\nIvanti Sentry - Command Injection - CVE:CVE-2026-10520\n\nThis is a new detection.","publishedAt":"2026-06-15T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/scheduled-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":247,"contentTokens":81,"composition":null},{"id":"rel_lLpAiqyCos_Vh9lKYJKmA","version":null,"type":"feature","title":"WAF - WAF Release - 2026-06-15","summary":"This week's release introduces new managed protection to address a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) and a new generi...","titleGenerated":null,"titleShort":null,"content":"This week's release introduces new managed protection to address a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic. These rules protect affected installations from unauthorized data exfiltration at the network edge.\n\n**Key Findings**\n\n- CVE-2026-26980: A blind SQL injection vulnerability in the Ghost CMS Content API (versions 3.24.0 to 6.19.0) allows unauthenticated remote attackers to inject malicious SQL commands via query parameters due to improper input validation.\n\nRuleset\n\nRule ID\n\nLegacy Rule ID\n\nDescription\n\nPrevious Action\n\nNew Action\n\nComments\n\nCloudflare Managed Ruleset\n\n439c4ef64b32447989bdf412b4c29bc6\n\nN/A\n\nGhost CMS - SQLi - CVE:CVE-2026-26980\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n6c64b68ef5ed45e7a622cdaab56f403f\n\nN/A\n\nSQLi - Obfuscated Boolean - URI\n\nLog\n\nDisabled\n\nThis is a new detection.","publishedAt":"2026-06-15T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-15-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1004,"contentTokens":251,"composition":null},{"id":"rel_bL79mjnkL9eO8CZdbBV6Y","version":null,"type":"feature","title":"WAF - Use Cloudforce One threat intelligence in WAF rules","summary":"You can now match incoming requests against Cloudforce One threat intelligence in your WAF rules. A new detection looks up the client IP address of ea...","titleGenerated":null,"titleShort":null,"content":"You can now match incoming requests against Cloudforce One threat intelligence in your WAF rules. A new detection looks up the client IP address of each request against the threat intelligence database. If the IP was involved in threat activity in the past seven days, Cloudflare populates `cf.intel.ip.*` fields that you can use in [custom rules](https://developers.cloudflare.com/waf/custom-rules/) and [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/).\n\nThe detection populates the following fields. Use the [`any()`](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#any) function with the `[*]` wildcard to match array values:\n\n- `cf.intel.ip.datasets` — the dataset that flagged the IP address (`ddos` or `waf`).\n- `cf.intel.ip.target_industries` — industries the IP address has targeted.\n- `cf.intel.ip.attacker_names` — known threat actors associated with the IP address.\n- `cf.intel.ip.attacker_countries` — source countries of the threat activity.\n- `cf.intel.ip.target_countries` — countries the IP address has targeted.\n\nFor example, the following custom rule expression blocks requests from IP addresses associated with DDoS activity that have targeted France:\n\n```txt\n<div><div><span>any(cf.intel.ip.target_countries[*] == \"FR\") and any(cf.intel.ip.datasets[*] == \"ddos\")</span></div></div>\n```\n\nThese fields work with the Cloudflare API and Terraform. Matches are logged in [Security Analytics](https://developers.cloudflare.com/waf/analytics/security-analytics/).\n\nThe threat intelligence detection is available to customers with an active [Cloudforce One](https://developers.cloudflare.com/security-center/cloudforce-one/) subscription. For more information, refer to [Threat intelligence](https://developers.cloudflare.com/waf/detections/threat-intelligence/).","publishedAt":"2026-06-15T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-15-threat-intelligence-fields/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1835,"contentTokens":401,"composition":null},{"id":"rel_xalhvSGq7D3tEuKcU8rLx","version":null,"type":"feature","title":"Security Center - Automated Cease and Desist templates for Brand Protection","summary":"**TL;DR:** Brand Protection now features an **Automated Cease & Desist (C&D)** workflow. When you discover an infringing domain hosted outside of Clou...","titleGenerated":null,"titleShort":null,"content":"**TL;DR:** Brand Protection now features an **Automated Cease & Desist (C&D)** workflow. When you discover an infringing domain hosted outside of Cloudflare, you can instantly generate, review, and download a custom-branded, pre-filled legal notice in seconds.\n\n#### Why this matters\n\nThis update introduces a major shift from pure detection to actionable enforcement, eliminating the manual burden for your Trust & Safety and Legal teams:\n\n- **Instant WHOIS and Recipient Lookup:** We automatically scrape registrar data and WHOIS contact information (such as the registrant or registrar abuse email) behind the scenes, highlighting exactly where your notice needs to be sent\n- **Smart Template Automation:** We pre-fill your custom-branded templates with essential metadata, including the infringing domain, registrar name, and discovery date.\n- **Tailored Enforcement Tones:** Choose from three default layout strategies depending on the severity of the infrastructure match:\n    -   *Exact Match:* A formal demand for identical trademark infringements\n    -   *Similar Match:* A standard notice optimized for typosquatting (one-character distance matches)\n    -   *Friendly Tone:* An amicable initial outreach for potential unintentional or accidental infringements\n- **Full Editing Control:** Before creating the final PDF, a real-time review screen allows you to fine-tune the messaging, modify placeholders, and ensure your text aligns perfectly with internal legal standards\n\n#### How it works\n\nWhen reviewing a malicious domain match inside your dashboard, your enforcement path splits depending on where the attacker is located:\n\n1. **On the Cloudflare Network:** If the domain uses Cloudflare’s network or registrar, trigger our existing integrated abuse reporting flow with one click.\n2. **Hosted Elsewhere:** If the domain is hosted on an external provider, click the **Generate C&D Letter** option to launch the new document builder, pick your template, verify the auto-populated recipient data, and download your finalized PDF.\n\nYou can manage your templates and enforce matches by going to the **Cloudflare Dashboard > Application Security > Brand Protection** and selecting your detected Brand Protection matches. For more information, read the [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/).\n\n> **Note:** Cloudflare does not represent you and cannot provide you with legal advice. Only you can decide whether your rights have been infringed, whether a cease and desist letter is appropriate, and what that letter should say.","publishedAt":"2026-06-10T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-08-brand-protection-cease-and-desist-letters/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":2597,"contentTokens":500,"composition":null},{"id":"rel_nlXfBqrgs2EjZEWzNWSQq","version":null,"type":"feature","title":"WAF - WAF Release - 2026-06-09","summary":"This release introduces new detections for a critical SQL injection vulnerability in Drupal installations utilizing PostgreSQL (CVE-2026-9082), alongs...","titleGenerated":null,"titleShort":null,"content":"This release introduces new detections for a critical SQL injection vulnerability in Drupal installations utilizing PostgreSQL (CVE-2026-9082), alongside targeted protection for an unsafe deserialization flaw in the Mirasvit Cache Warmer extension (CVE-2026-45247). Additionally, this release includes coverage for a prototype pollution vector in Axios (CVE-2026-40175) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic.\n\n**Key Findings**\n\n- CVE-2026-9082: A database abstraction vulnerability affects Drupal sites configured with a PostgreSQL backend. Remote, unauthenticated attackers can exploit this flaw via crafted inputs to inject malicious SQL commands and access or manipulate backend data.\n    \n- CVE-2026-45247: A PHP Object Injection vulnerability exists in the Mirasvit Cache Warmer extension for Magento and Adobe Commerce. This flaw stems from unsafe deserialization of untrusted user input, enabling unauthenticated attackers to execute arbitrary code on the hosting server.\n    \n- CVE-2026-40175: A prototype pollution vulnerability affects the Axios HTTP client library. Attackers can exploit this to inject malicious properties into the global JavaScript object prototype, potentially causing application crashes (Denial of Service) or executing unauthorized code depending on the application structure.\n    \n\n**Impact**\n\nSuccessful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code, manipulate database contents, or induce application crashes, leading to severe operational disruption or complete server compromise. These newly deployed signatures intercept these advanced malicious payloads at the edge before they can interact with vulnerable software configurations.\n\nRuleset\n\nRule ID\n\nLegacy Rule ID\n\nDescription\n\nPrevious Action\n\nNew Action\n\nComments\n\nCloudflare Managed Ruleset\n\nb4f88cb767874def810edd0b387cf935\n\nN/A\n\nAxios - Prototype Pollution - CVE:CVE-2026-40175\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n098997bb8b5f48abb4039bd6417eb9e0\n\nN/A\n\nDrupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - Body\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n8a7650b99ec04a91a19b8295fd3857fd\n\nN/A\n\nDrupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n525c0871787840e6a6193f6caee241d2\n\nN/A\n\nSQLi - Obfuscated Boolean - Body\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n1ec4aeaf7900463397b82b35d8620070\n\nN/A\n\nSQLi - Obfuscated Boolean - Headers\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\nfb74766654c44ff2a5204dc4e0be4d47\n\nN/A\n\nMirasvit Cache Warmer - PHP Object Injection - CVE:CVE-2026-45247\n\nN/A\n\nBlock\n\nThis is a new detection.","publishedAt":"2026-06-09T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-09-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":2847,"contentTokens":663,"composition":null},{"id":"rel_bg3hihp99MCdQpRiA4Nhi","version":null,"type":"feature","title":"Security Center - Create WAF rules directly from Threat Events saved views","summary":"Cloudforce One users can now turn [Threat Events indicators](https://developers.cloudflare.com/security-center/cloudforce-one/#analyze-threat-events) ...","titleGenerated":null,"titleShort":null,"content":"Cloudforce One users can now turn [Threat Events indicators](https://developers.cloudflare.com/security-center/cloudforce-one/#analyze-threat-events) into active defense. With this update, users can instantly generate a WAF rule that matches the dynamic list of IP addresses returned by any of their **Saved Views**.\n\n#### Why this matters\n\nThreat intelligence is most effective when it is immediately actionable. Previously, blocking threat actors required manually extracting indicators from threat events and copying them into your firewall rules. This new integration bridges the gap between threat discovery and threat mitigation:\n\n- When you identify an active threat pattern - such as an ongoing campaign targeting a specific industry, or using a known indicator type - you can pivot from investigation to mitigation in a single click.\n- Instead of writing complex, static IP rules, this functionality allows you to leverage the specific filtering logic you have already defined and saved within your Threat Events ecosystem.\n- Automating the generation of the WAF rule expression from your threat views eliminates manual copying errors, ensuring that the right malicious infrastructure is blocked instantly.\n\n#### How to use it\n\nYou can implement these rules through both the dashboard UI and via the API / Terraform.\n\nGo to **Cloudflare Dashboard** > **Application Security** > **Threat Intelligence** > **Manage Views**, select your desired view, and select **Create WAF Rule**.\n\nThis will automatically pre-populate the [WAF rule builder](https://developers.cloudflare.com/firewall/cf-dashboard/create-edit-delete-rules/) with the matching threat event IP indicators.\n\nYou can also automate this workflow by utilizing the [**WAF Rule Builder API**](https://developers.cloudflare.com/firewall/api/cf-firewall-rules/) alongside your [Threat Events saved views endpoints](https://developers.cloudflare.com/firewall/api/cf-firewall-rules/).","publishedAt":"2026-06-08T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-08-create-waf-rules-from-threat-events/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1947,"contentTokens":369,"composition":null},{"id":"rel_H3iXx0EG1FDe6anWqoo-n","version":null,"type":"feature","title":"Security Center - Introducing Threat Actor Profiles in Threat Events","summary":"**TL;DR:** We’ve launched **Threat Actor Profiles** directly inside the Threat Events dashboard. You can now immediately pivot from a generic alert or...","titleGenerated":null,"titleShort":null,"content":"**TL;DR:** We’ve launched **Threat Actor Profiles** directly inside the Threat Events dashboard. You can now immediately pivot from a generic alert or blocked event to a profile that unmasks the \"Who, Why, and How\" behind a threat event.\n\n#### Why this matters\n\nSecurity teams often suffer from a visibility gap. When an attack is blocked, it's difficult to know if it was a random automated bot or a sophisticated advanced persistent threat (APT) campaign specifically targeting your industry. Finding out usually means leaving your security dashboard to hunt through external OSINT feeds or static, out-of-date threat reports. Threat Actor Profiles solve this by sharing Cloudforce One’s deep adversary research directly inside your workflow:\n\n- Cloudflare sees the traffic in real-time across approximately 20% of the web. This means actor profiles display active malicious infrastructure the moment it touches our global edge.\n- Every profile provides clear strategic and tactical modules including alternative aliases, origin tracking, historical threat event volume, and MITRE ATT&CK mapping detailing the adversary's technical methods.\n- You can search the dedicated threat actor directory or click an actor's name inside any threat event to view all details and related events to the specific threat actor.\n\n#### How to use it\n\nAdversary tracking is now available in the Cloudflare Dashbboard and ready to be included in your daily investigation workflow:\n\n- Click on the **Threat Actor** name in the Threat Events table to open their full identity profile and review their aliases and attack stats.\n- Navigate to **Cloudflare Dashboard > Application Security > Threat Intelligence** to explore the new **Threat Actors** tab. Here, you can browse a card-based directory of all established entities tracked by Cloudforce One.\n\nLearn more in the [Cloudforce One documentation](https://developers.cloudflare.com/security-center/cloudforce-one/#identify-the-adversary).","publishedAt":"2026-06-08T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-08-threat-actor-profiles/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1973,"contentTokens":375,"composition":null},{"id":"rel_yRssFSfA7PfK1KfgK7mxk","version":null,"type":"feature","title":"Security Center - Security scans more frequent","summary":"Security Insights scans now run more often. Cloudflare scans Free accounts **every 7 days**, Pro and Business accounts **every 3 days**, and Enterpris...","titleGenerated":null,"titleShort":null,"content":"Security Insights scans now run more often. Cloudflare scans Free accounts **every 7 days**, Pro and Business accounts **every 3 days**, and Enterprise accounts **daily**.\n\nIn addition, all accounts and zones now receive scans by default. You no longer need to enable scans before Cloudflare checks your account for misconfigurations, vulnerabilities, and other security risks.\n\nGranular on-demand scans are now available on any plan. You can trigger an on-demand scan for any zone, insight, insight type from the Cloudflare dashboard in order to quickly re-check your security posture after remediating an issue.\n\nTo learn more, refer to the [Security Insights documentation](https://developers.cloudflare.com/security/security-insights/).","publishedAt":"2026-05-29T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-29-security-insights-default-scans/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":740,"contentTokens":145,"composition":null},{"id":"rel_8oQKCQNV79wTOQdINtpSW","version":null,"type":"feature","title":"WAF - WAF Release - 2026-05-20","summary":"## WAF Release - 2026-05-20\n\nMay 20, 2026 \n\n**Key Findings**\n\n* Existing rule enhancements have been deployed to improve detection resilience against ...","titleGenerated":null,"titleShort":null,"content":"## WAF Release - 2026-05-20\n\nMay 20, 2026 \n\n**Key Findings**\n\n* Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.\n\n**Continuous Rule Improvements**\n\nWe are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.\n\n| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                          | Previous Action | New Action | Comments                                                                                                          |\n| -------------------------- | ----------- | -------------- | ---------------------------------------------------- | --------------- | ---------- | ----------------------------------------------------------------------------------------------------------------- |\n| Cloudflare Managed Ruleset | ...9e9c068d | N/A            | Sitecore - Cache Poisoning - CVE:CVE-2025-53693 Beta | N/A             | Block      | This rule is merged into the original rule \"Sitecore - Cache Poisoning - CVE:CVE-2025-53693\" (ID: ...7c5b669c  ). |","publishedAt":"2026-05-20T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-20-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1337,"contentTokens":227,"composition":null},{"id":"rel_CNIKKLiLwhHnDMaMJTa88","version":null,"type":"feature","title":"WAF - WAF Release - 2026-05-15 - Emergency","summary":"This emergency release introduces two new rules to detect nginx heap buffer overflow and heap spray exploitation attempts targeting the rewrite module...","titleGenerated":null,"titleShort":null,"content":"This emergency release introduces two new rules to detect nginx heap buffer overflow and heap spray exploitation attempts targeting the rewrite module's `is_args` stale-state bug (CVE-2026-42945).\n\n**Key Findings**\n\nCVE-2026-42945: nginx Heap Buffer Overflow via Stale `is_args` in Rewrite Module\n\nSuccessful exploitation allows remote attackers to trigger a heap buffer overflow in nginx's rewrite module by sending crafted URIs containing escapable characters. A length/copy pass mismatch in `ngx_http_script_copy_capture_code()` causes the copy pass to write escaped data into an undersized buffer, leading to heap corruption. This enables denial of service (worker process crash) and, with heap feng shui techniques, potential remote code execution.\n\nWe strongly recommend upgrading to nginx 1.30.1 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, avoid `rewrite` directives with `?` in the replacement string followed by `set` or `if` referencing capture groups.\n\nRuleset\n\nRule ID\n\nLegacy Rule ID\n\nDescription\n\nPrevious Action\n\nNew Action\n\nComments\n\nCloudflare Managed Ruleset\n\n2013e3e58efe4b79a26e214f7e52be73\n\nN/A\n\nnginx - Remote Code Execution - Buffer Overread - CVE:CVE-2026-42945\n\nN/A\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n68226e83a4d14ee9a9c878469df0ee6c\n\nN/A\n\nnginx - Remote Code Execution - Heap Spray - CVE:CVE-2026-42945\n\nN/A\n\nBlock\n\nThis is a new detection.","publishedAt":"2026-05-15T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-15-emergency-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1448,"contentTokens":348,"composition":null},{"id":"rel_wHRKUNRS1xXUGpUuxzuWy","version":null,"type":"feature","title":"Security Center - Agent Readiness scores now available in URL Scanner via the Cloudflare Dashboard","summary":"We’ve added a new **Agent Readiness** tab to URL Scanner reports accessible via the Cloudflare dashboard. This feature evaluates your site against eme...","titleGenerated":null,"titleShort":null,"content":"We’ve added a new **Agent Readiness** tab to URL Scanner reports accessible via the Cloudflare dashboard. This feature evaluates your site against emerging AI standards and provides six specialized scores to help you optimize for the next generation of AI agents and automated discovery.\n\nThe Internet is shifting from a human-read web to a machine-read web. AI agents now browse, interact with, and even perform transactions on websites. If a site isn't \"agent-ready,\" these bots may consume excessive bandwidth, fail to find critical information, or be unable to navigate your services efficiently.\n\nThis update provides material value by breaking down readiness into six actionable categories:\n\n- **Basic Web Presence**\n- **Discoverability**\n- **Content Accessibility**\n- **Bot Access Control**\n- **Protocol Discovery**\n- **Commerce**\n\n#### Accessing the report\n\nYou can view these scores for any scanned URL directly in the dashboard or via our API.\n\n- **Dashboard:** Go to **Protect & Connect > Application Security > Investigate**. After running a scan, select the **Agent Readiness** tab in the report.\n- **API:** Use the [URL Scanner API](https://developers.cloudflare.com/radar/investigate/url-scanner/) to programmatically retrieve these scores for your infrastructure.\n\nTo learn more about the methodology behind these scores, refer to the [blogpost](https://blog.cloudflare.com/agent-readiness/).","publishedAt":"2026-05-12T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-12-url-scanner-report-agent-readiness/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1408,"contentTokens":279,"composition":null},{"id":"rel_gMap-1_xoe_xWkiJ76ORM","version":null,"type":"feature","title":"WAF - WAF Release - 2026-05-11","summary":"**Key Findings**\n\n- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen ...","titleGenerated":null,"titleShort":null,"content":"**Key Findings**\n\n- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.\n\n**Continuous Rule Improvements**\n\nWe are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.\n\nRuleset\n\nRule ID\n\nLegacy Rule ID\n\nDescription\n\nPrevious Action\n\nNew Action\n\nComments\n\nCloudflare Managed Ruleset\n\n23ac4a9e53f94467ba470c9468b3c389\n\nN/A\n\nRemote Code Execution - Java Deserialization - Body - Beta\n\nBlock\n\nDisabled\n\nThis is a new detection. This rule is merged into the original rule \"Remote Code Execution - Java Deserialization\" (ID: 36b0532eb3c941449afed2d3744305c4 ).","publishedAt":"2026-05-11T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-11-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":887,"contentTokens":188,"composition":null},{"id":"rel_NUvjsc4QEhRt1URQcREKO","version":null,"type":"feature","title":"Workers, WAF - WAF and framework adapter mitigations for React and Next.js vulnerabilities","summary":"Multiple security vulnerabilities were disclosed by the React team and Vercel affecting React Server Components and Next.js. These include denial of s...","titleGenerated":null,"titleShort":null,"content":"Multiple security vulnerabilities were disclosed by the React team and Vercel affecting React Server Components and Next.js. These include denial of service, middleware and proxy bypass, server-side request forgery, cross-site scripting, and cache poisoning issues across a range of severity levels.\n\n**We strongly recommend updating your application and its dependencies immediately.** Patched versions are available for React (`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` `19.0.6`, `19.1.7`, and `19.2.6`) and Next.js (`15.5.16` and `16.2.5`).\n\n#### WAF protections\n\nCloudflare WAF rules deployed in response to prior React Server Component CVEs ([`CVE-2025-55184`](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) and [`CVE-2026-23864`](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg)) already provide coverage for the newly disclosed denial-of-service vulnerabilities. These rules are enabled by default with a Block action for all customers using the Cloudflare Managed Ruleset, including Free plan customers using the Free Managed Ruleset.\n\nRuleset\n\nRule description\n\nRule ID\n\nDefault action\n\nCloudflare Managed Ruleset\n\nReact - DoS - [`CVE-2025-55184`](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956)\n\n`2694f1610c0b471393b21aef102ec699`\n\nBlock\n\nCloudflare Managed Ruleset\n\nReact - DoS - [`CVE-2026-23864`](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg)\n\n`aaede80b4d414dc89c443cea61680354`\n\nBlock\n\nThe existing rules detect the underlying attack patterns generically. As a result, they apply to the new [`CVE-2026-23870`](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) denial-of-service vulnerability in Server Components and the corresponding Next.js advisory [`GHSA-8h8q-6873-q5fj`](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj).\n\nCloudflare is investigating whether WAF rules can be safely and effectively deployed for three of the high-severity advisories: [`CVE-2026-23870`](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) / [`GHSA-8h8q-6873-q5fj`](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj), [`GHSA-267c-6grr-h53f`](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f), and [`GHSA-mg66-mrh9-m8jx`](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx). If it is possible to create a managed WAF rule that mitigates these CVEs and does not potentially break application behavior, Cloudflare will add additional managed WAF rules. These rules will be announced through the [WAF changelog](https://developers.cloudflare.com/waf/change-log/changelog/). Because these vulnerabilities were shared with Cloudflare with minimal advance notice, we are still investigating what WAF mitigations are possible.\n\nSeveral of the disclosed vulnerabilities are not possible to block in WAF. We strongly recommend updating your applications so they are not purely reliant on WAF mitigations.\n\nCustomers on Pro, Business, or Enterprise plans should ensure that [Managed Rules are enabled](https://developers.cloudflare.com/waf/get-started/#1-deploy-the-cloudflare-managed-ruleset).\n\n#### Next.js adapters\n\n**Vinext:** [Vinext](https://github.com/cloudflare/vinext) is a Vite plugin that reimplements the Next.js API surface. Vinext's latest release is not vulnerable to any of the disclosed CVEs. Vinext's architecture differs from stock Next.js in ways that sidestep the affected code paths. For example, it does not implement the PPR resume protocol, does not expose Pages Router data-route endpoints, and strips internal headers such as `x-nextjs-data` at request boundaries. As an extra layer of defense, we added a React `19.2.6` or later requirement when running `vinext init` ([PR #1118](https://github.com/cloudflare/vinext/pull/1118), [PR #1112](https://github.com/cloudflare/vinext/pull/1112)) to prevent accidentally running a vulnerable version of React with Vinext.\n\n**OpenNext on Cloudflare:** OpenNext is an adapter that lets you deploy Next.js apps to the Cloudflare Workers platform. OpenNext itself is not directly vulnerable to the React denial-of-service CVE, but users must update the Next.js version in their application. The OpenNext team has updated the adapter to further harden against these vectors and released a new version of the Cloudflare adapter. Test fixtures and examples have been updated to use patched versions ([PR #1255](https://github.com/opennextjs/opennextjs-cloudflare/pull/1255)).\n\n#### Summary of disclosed vulnerabilities\n\nAdvisory\n\nSeverity\n\nIssue\n\nWAF status\n\n[`CVE-2026-23870`](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) / [`GHSA-8h8q-6873-q5fj`](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj)\n\nHigh\n\nDenial of service in Server Components\n\n**WAF rules in place:** `2694f1610c0b471393b21aef102ec699`, `aaede80b4d414dc89c443cea61680354`  \nCloudflare is investigating additional managed WAF coverage\n\n[`GHSA-267c-6grr-h53f`](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f)\n\nHigh\n\nMiddleware bypass via segment-prefetch routes\n\nCloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule\n\n[`GHSA-mg66-mrh9-m8jx`](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx)\n\nHigh\n\nDenial of service via connection exhaustion in Cache Components\n\nCloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule\n\n[`GHSA-492v-c6pp-mqqv`](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv)\n\nHigh\n\nMiddleware bypass via dynamic route parameter injection\n\nNot possible to safely enable a managed WAF rule without potentially breaking application behavior\n\n[`GHSA-c4j6-fc7j-m34r`](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r)\n\nHigh\n\nSSRF via WebSocket upgrades\n\nNot possible to safely enable a managed WAF rule without potentially breaking application behavior\n\n[`GHSA-36qx-fr4f-26g5`](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5)\n\nHigh\n\nMiddleware bypass in Pages Router i18n\n\nCustom WAF rule possible; global managed rule could potentially break application behavior\n\n[`GHSA-ffhc-5mcf-pf4q`](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q)\n\nModerate\n\nXSS via CSP nonces\n\nCustom WAF rule possible; global managed rule could potentially break application behavior\n\n[`GHSA-gx5p-jg67-6x7h`](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h)\n\nModerate\n\nXSS in `beforeInteractive` scripts\n\nNot possible to safely enable a managed WAF rule without potentially breaking application behavior\n\n[`GHSA-h64f-5h5j-jqjh`](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh)\n\nModerate\n\nDenial of service in Image Optimization API\n\nCustom WAF rule possible; global managed rule could potentially break application behavior\n\n[`GHSA-wfc6-r584-vfw7`](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7)\n\nModerate\n\nCache poisoning in RSC responses\n\nCustom WAF rule possible; global managed rule could potentially break application behavior\n\n[`GHSA-vfv6-92ff-j949`](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949)\n\nLow\n\nCache poisoning via RSC cache-busting collisions\n\nNot possible to safely enable a managed WAF rule without potentially breaking application behavior\n\n[`GHSA-3g8h-86w9-wvmq`](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq)\n\nLow\n\nMiddleware redirect cache poisoning\n\nCustom WAF rule possible; global managed rule could potentially break application behavior","publishedAt":"2026-05-07T12:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-06-react-nextjs-vulnerabilities/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":7808,"contentTokens":2099,"composition":null},{"id":"rel_txrhAXQM68oGzr0d0_Wm1","version":null,"type":"feature","title":"WAF - WAF Release - 2026-05-07 - Emergency","summary":"This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-4...","titleGenerated":null,"titleShort":null,"content":"This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-44575).\n\n**Key Findings**\n\nCVE-2026-44575: Next.js Middleware / Proxy Bypass in App Router Applications via Segment-Prefetch Routes\n\nSuccessful exploitation allows unauthenticated attackers to bypass middleware or proxy-based authorization checks in affected Next.js App Router applications. This leads to unauthorized access to protected content, potential exposure of sensitive application data, and compromise of application security boundaries.\n\nWe strongly recommend upgrading to Next.js 15.5.16 or 16.2.5 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.\n\nRuleset\n\nRule ID\n\nLegacy Rule ID\n\nDescription\n\nPrevious Action\n\nNew Action\n\nComments\n\nCloudflare Managed Ruleset\n\n1de95bf6d6374e1099854278e77e4a53\n\nN/A\n\nNext.js - Middleware Bypass via Invalid RSC Header - CVE:CVE-2026-44575\n\nN/A\n\nDisabled\n\nThis is a new detection.","publishedAt":"2026-05-07T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-07-emergency-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1126,"contentTokens":244,"composition":null},{"id":"rel_LBpRfHndy6hcBxUY1mEHh","version":null,"type":"feature","title":"Security Center - CSV export and adjustable page density for RFIs","summary":"You can now export your Requests for Information (RFI) history to a **CSV document** and customize your dashboard view by choosing how many RFI record...","titleGenerated":null,"titleShort":null,"content":"You can now export your Requests for Information (RFI) history to a **CSV document** and customize your dashboard view by choosing how many RFI records to load per page.\n\n#### Why this matters\n\nThese quality-of-life updates focus on data portability and dashboard performance, allowing power users to manage high volumes of requests more efficiently:\n\n- The new **CSV export** allows you to move RFI data into external tools for custom reporting, internal auditing, or cross-referencing with other security projects without manual data entry\n- With **adjustable page density**, you can now choose to load more records at once (10, 25 or 50) to scan through history faster\n\nCloudforce One subscribers can find these new options in [Cloudflare Dashboard > Application Security > Threat Intelligence > Requests for Information](https://dash.cloudflare.com/?to=/:account/application-security/threat-intelligence/requests).","publishedAt":"2026-05-07T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-07-csv-export-for-rfis/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":918,"contentTokens":182,"composition":null},{"id":"rel_wFX_faZT4UFx0yDAmgocN","version":null,"type":"feature","title":"Security Center - TAXII support added to Threat Events API","summary":"The Cloudforce One Threat Events API now supports [**TAXII**](https://www.cloudflare.com/en-gb/learning/security/what-is-stix-and-taxii/) as an output...","titleGenerated":null,"titleShort":null,"content":"The Cloudforce One Threat Events API now supports [**TAXII**](https://www.cloudflare.com/en-gb/learning/security/what-is-stix-and-taxii/) as an output format, enabling standardized, automated sharing of cyber threat intelligence with your existing security stack.\n\n#### Why this matters\n\n- You can now ingest Cloudforce One threat data directly into your SIEM, TIP or SOAR tools that prefer TAXII-formatted streams without needing custom translation scripts.\n- By supporting the TAXII format parameter in our API, security teams can automate the synchronization of indicator data, reducing the manual overhead of updating blocklists and detection rules.\n- This alignment with industry standards ensures that your threat data remains consistent across different security ecosystems and partner integrations.\n\n#### How to use it\n\nWhen calling the Threat Events API, you can now specify `taxii` in the `format` query parameter:\n\n`GET /accounts/{account_id}/cloudforce_one/threat_events?format=taxii`\n\nYou can find the updated documentation in the [Cloudflare API Reference](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/methods/list#%28resource%29%20cloudforce_one.threat_events%20%3E%20%28method%29%20list%20%3E%20%28params%29%20default%20%3E%20%28param%29%20format%20%3E%20%28schema%29).","publishedAt":"2026-05-06T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-06-taxii-support-for-threat-events-api/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1330,"contentTokens":305,"composition":null},{"id":"rel_iQTfVja88u5Ww1m_GmT7L","version":null,"type":"feature","title":"WAF - WAF Release - 2026-05-04","summary":"This week's release focuses on new detections to expand coverage across command injection, SQL injection, PHP object injection, remote code execution,...","titleGenerated":null,"titleShort":null,"content":"This week's release focuses on new detections to expand coverage across command injection, SQL injection, PHP object injection, remote code execution, and XSS attack vectors.\n\n**Key Findings**\n\n- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.\n\n**Continuous Rule Improvements**\n\nWe are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.\n\nRuleset\n\nRule ID\n\nLegacy Rule ID\n\nDescription\n\nPrevious Action\n\nNew Action\n\nComments\n\nCloudflare Managed Ruleset\n\n607ec27233b54beb8b89386ef0884a68\n\nN/A\n\nXSS, HTML Injection - Object Tag - Body (beta)\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"XSS, HTML Injection - Object Tag\" (ID: e9e3ac45a6d842f1a132fbf70c14e284 ).\n\nCloudflare Managed Ruleset\n\n0087c27420c54168a10bc05eff012303\n\nN/A\n\nXSS, HTML Injection - Object Tag - Headers\n\nLog\n\nBlock\n\nThis is a new detection. The rule previously known as \"XSS, HTML Injection - Object Tag - Headers (beta)\" is now renamed to \"XSS, HTML Injection - Object Tag - Headers\".\n\nCloudflare Managed Ruleset\n\n38dc97853ebf40ed9476ec7816f921d9\n\nN/A\n\nXSS, HTML Injection - Object Tag - URI\n\nLog\n\nBlock\n\nThis is a new detection. The rule previously known as \"XSS, HTML Injection - Object Tag - URI (beta)\" is now renamed to \"XSS, HTML Injection - Object Tag - URI\".\n\nCloudflare Managed Ruleset\n\n963cb530f72d4c75b2ae7befdc90d21a\n\nN/A\n\nCommand Injection - Generic 9 - Body Vector - Beta\n\nN/A\n\nDisabled\n\nThis is a new detection. This rule is merged into the original rule \"Command Injection - Generic 9 - Body Vector\" (ID: 155bb67d1061479e995a38510677175f )\n\nCloudflare Managed Ruleset\n\n6ac1b6dfe22449a798cc7021f8960375\n\nN/A\n\nCommand Injection - Generic 9 - Header Vector - Beta\n\nN/A\n\nDisabled\n\nThis is a new detection. This rule is merged into the original rule \"Command Injection - Generic 9 - Header Vector\" (ID: b31c34a7b29b4aaf9be6883d1eb7a999 )\n\nCloudflare Managed Ruleset\n\n47a9b66dd73a4a558590c4bdef47a800\n\nN/A\n\nCommand Injection - Generic 9 - URI Vector - Beta\n\nN/A\n\nDisabled\n\nThis is a new detection. This rule is merged into the original rule \"Command Injection - Generic 9 - URI Vector\" (ID: 54ad0465c30d4cd2ac7a707197321c6c )\n\nCloudflare Managed Ruleset\n\nd2ae4a8093f245a1b9de71bbbeebf804\n\nN/A\n\nCommand Injection - Sleep - Body\n\nN/A\n\nDisabled\n\nThis is a new detection. The rule previously known as \"Command Injection\n\n- Sleep\" is now renamed to \"Command Injection - Sleep - Body\".\n\nCloudflare Managed Ruleset\n\nda91868c0d3d44afb846e7830d257566\n\nN/A\n\nCommand Injection - Sleep - Headers\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n04863c61e982464b91778f051856fe86\n\nN/A\n\nCommand Injection - Sleep - URI\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n9dc1a0b8dbb7425db619309be6e43c37\n\nN/A\n\nFortinet FortiSandbox - Command Injection - CVE:CVE-2026-39808\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\nb84c10f5a8f84800905932dc88118795\n\nN/A\n\nRemote Code Execution - Common Bash Bypass - Headers\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\nf496c40011f14bfdb5f55ec79299d53b\n\nN/A\n\nRemote Code Execution - Common Bash Bypass - URI\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\na5f75abac2664554a984d061b0bf33f9\n\nN/A\n\nRemote Code Execution - Common Bash Bypass - Body - Beta\n\nN/A\n\nDisabled\n\nThis is a new detection. This rule is merged into the original rule \"Remote Code Execution - Common Bash Bypass Body\" (ID: 6e2f7a696ea74c979e7d069cefb7e5b9 ). The rule previously known as \"Remote Code Execution - Common Bash Bypass Beta\" is now renamed to \"Remote Code Execution - Common Bash Bypass Body\".\n\nCloudflare Managed Ruleset\n\nbbb31a886ab54f6c8cdd220d33bfe8b9\n\nN/A\n\nPHP Object Injection - 2 - Body - Beta\n\nN/A\n\nDisabled\n\nThis is a new detection. This rule is merged into the original rule \"PHP Object Injection - 2\" (ID: 8ef3c3f91eef46919cc9cb6d161aafdc )\n\nCloudflare Managed Ruleset\n\ne199688ab69746c88c33457f29552387\n\nN/A\n\nPHP Object Injection - 2 - Headers\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\neb33d40e96c54e929af6ed9c8104f4c5\n\nN/A\n\nPHP Object Injection - 2 - URI\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n76b15b7b122a4be6a40d8aa96a46201e\n\nN/A\n\nSQLi - DROP - 2 - Beta\n\nN/A\n\nDisabled\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - DROP - 2\" (ID: a967a167874b42b6898be46e48ac2221 )\n\nCloudflare Managed Ruleset\n\ne24b2ef4a5c54f97a62db7a68b7f85ee\n\nN/A\n\nSQLi - DROP - 2 - Headers\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n51123f35f1d249358aea8fb11546b5f0\n\nN/A\n\nSQLi - DROP - 2 - URI\n\nN/A\n\nDisabled\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\nd86d8873310d41f2877458a91e053dce\n\nN/A\n\nSmarterMail - Remote Code Execution - CVE:CVE-2026-24423\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n00da180570d34b5bae2121acd0023a36\n\nN/A\n\nSQLi - SELECT Expression - Body\n\nBlock\n\nDisabled\n\nAction changed\n\nCloudflare Managed Ruleset\n\nc46d9097c9ef419aa4d9f10626cc211f\n\nN/A\n\nSQLi - String Concatenation - URI\n\nBlock\n\nDisabled\n\nAction changed","publishedAt":"2026-05-04T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-04-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":5428,"contentTokens":1640,"composition":null},{"id":"rel_Flol1u_zW4UrXfq9gHD_S","version":null,"type":"feature","title":"WAF - WAF Release - 2026-04-30 - Emergency","summary":"This emergency release introduces a new rule to block a cPanel & WHM Authentication Bypass related to CVE-2026-41940.\n\n**Key Findings**\n\n- CVE-2026-41...","titleGenerated":null,"titleShort":null,"content":"This emergency release introduces a new rule to block a cPanel & WHM Authentication Bypass related to CVE-2026-41940.\n\n**Key Findings**\n\n- CVE-2026-41940: A critical authentication bypass vulnerability in cPanel & WHM allows unauthenticated remote attackers to bypass authentication mechanisms and gain unauthorized administrative access to the web hosting control panel. This vulnerability affects the session validation logic, enabling attackers to craft malicious requests that circumvent normal authentication checks.\n\n**Impact**\n\nSuccessful exploitation allows unauthenticated attackers to gain administrative control over affected cPanel & WHM installations. This leads to complete server compromise, potential theft or manipulation of hosted data, and significant service disruption across managed environments.\n\nWe strongly recommend applying official vendor patches for cPanel & WHM immediately to address the underlying vulnerability.\n\nRuleset\n\nRule ID\n\nLegacy Rule ID\n\nDescription\n\nPrevious Action\n\nNew Action\n\nComments\n\nCloudflare Managed Ruleset\n\nfb29b1b660864285a5ebac86eb2b9e2f\n\nN/A\n\ncPanel - Auth Bypass - CVE:CVE-2026-41940\n\nN/A\n\nBlock\n\nThis is a new detection.","publishedAt":"2026-04-30T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-04-30-emergency-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1178,"contentTokens":238,"composition":null},{"id":"rel_m8LymnE0eMUXtuBdgKz_j","version":null,"type":"feature","title":"WAF - WAF Release - 2026-04-27","summary":"This week's release focuses on new improvements to enhance coverage.\n\n**Key Findings**\n\n- Existing rule enhancements have been deployed to improve det...","titleGenerated":null,"titleShort":null,"content":"This week's release focuses on new improvements to enhance coverage.\n\n**Key Findings**\n\n- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.\n\n**Continuous Rule Improvements**\n\nWe are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.\n\nRuleset\n\nRule ID\n\nLegacy Rule ID\n\nDescription\n\nPrevious Action\n\nNew Action\n\nComments\n\nCloudflare Managed Ruleset\n\nd866f980582748568385b94480cec1dd\n\nN/A\n\nPostgreSQL - SQLi - COPY - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"PostgreSQL - SQLi - COPY - Body (ID: 705a6b5569d5472596910e3ce7265a4e ). The rule previously known as \"PostgreSQL - SQLi - COPY\" is now renamed to \"PostgreSQL - SQLi - COPY - Body\".\n\nCloudflare Managed Ruleset\n\n71d133c374d94559aa9fdf042903de89\n\nN/A\n\nPostgreSQL - SQLi - COPY - Headers\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n9f1b1b7fd28a401b9d5c172d1036cfa6\n\nN/A\n\nPostgreSQL - SQLi - COPY - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n8e40416659334b8ba789365755ff389e\n\nN/A\n\nSQLi - AND/OR MAKE\\_SET/ELT - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - AND/OR MAKE\\_SET/ELT - Body\" (ID: 0f41a593c8fe42c38a26f709252d3934 ). The rule previously known as \"SQLi - AND/OR MAKE\\_SET/ELT\" is now renamed to \"SQLi - AND/OR MAKE\\_SET/ELT - Body\".\n\nCloudflare Managed Ruleset\n\n1e0d4372ee1e41b9804b2d5c346487f9\n\nN/A\n\nSQLi - AND/OR MAKE\\_SET/ELT - Headers\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\nd2c961a164a64cf6b871c9511ac6ceca\n\nN/A\n\nSQLi - AND/OR MAKE\\_SET/ELT - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n4dacc0e6f32d4c5da3c2293edd471337\n\nN/A\n\nSQLi - Common Patterns - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - Common Patterns - Body\" (ID: 98f746d07a6d48ab9dae669acb5d0b9b ). The rule previously known as \"SQLi - Common Patterns\" is now renamed to \"SQLi - Common Patterns - Body\".\n\nCloudflare Managed Ruleset\n\n53a374379f2e41e9934791c1975c07b7\n\nN/A\n\nSQLi - Common Patterns - Headers\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n9efedebfc371443f9fe7308605b1b06b\n\nN/A\n\nSQLi - Common Patterns - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\nd53a791496d64700870334f4dd0ba3c7\n\nN/A\n\nSQLi - Equation - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - Equation - Body\" (ID: e7691e1e4f4d4769909f3df6c2eb3e7f ). The rule previously known as \"SQLi - Equation\" is now renamed to \"SQLi - Equation - Body\".\n\nCloudflare Managed Ruleset\n\n46efbd3496e64c3f902ad33d3d1c2384\n\nN/A\n\nSQLi - Equation - Headers\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n46b937649a424b7ead90f6d0e1149ea6\n\nN/A\n\nSQLi - Equation - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n04d9182545f54ba8a4fa29fe205adbb0\n\nN/A\n\nSQLi - AND/OR Digit Operator Digit - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - AND/OR Digit Operator Digit - Body\" (ID: 762dd334ed0b4273816e3ff13893c564 ). The rule previously known as \"SQLi - AND/OR Digit Operator Digit\" is now renamed to \"SQLi - AND/OR Digit Operator Digit - Body\".\n\nCloudflare Managed Ruleset\n\na24e7c15503948bc8766481aad2abbaa\n\nN/A\n\nSQLi - AND/OR Digit Operator Digit - Headers\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n0c55eb362df64f92a85aa46753acbc0d\n\nN/A\n\nSQLi - AND/OR Digit Operator Digit - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n18c9879b7e184c559d23c1652b45a97d\n\nN/A\n\nSQLi - Benchmark Function - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - Benchmark Function - Body\" (ID: ac4e9ebfb43a4f3998f6072d2ebc44ad ). The rule previously known as \"SQLi - Benchmark Function\" is now renamed to \"SQLi - Benchmark Function - Body\".\n\nCloudflare Managed Ruleset\n\n2adbc36c52324efcb4681b829889aadc\n\nN/A\n\nSQLi - Benchmark Function - Headers\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n69564af3bc54406080deed72491b28e9\n\nN/A\n\nSQLi - Benchmark Function - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n94b1646f0b0b46ec9b96f7742aa649de\n\nN/A\n\nSQLi - Comparison - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - Comparison - Body\" (ID: 8166da327a614849bfa29317e7907480 ). The rule previously known as \"SQLi - Comparison\" is now renamed to \"SQLi - Comparison - Body\".\n\nCloudflare Managed Ruleset\n\n455ce87681bd4200bf53456c39e3e013\n\nN/A\n\nSQLi - Comparison - Headers\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n8152816062ed47f69be0f907f4bdb492\n\nN/A\n\nSQLi - Comparison - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\nd5afd403a0544248b829fe5da1ff3b34\n\nN/A\n\nSQLi - String Concatenation - Body - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - String Concatenation - Headers\" (ID: 3b0c61407d0b4f7d87e516472116d2fe ).The rule previously known as \"SQLi - String Concatenation - Headers\" is now renamed to \"SQLi - String Concatenation - Body\".\n\nCloudflare Managed Ruleset\n\ncb0ec290ee454138abe18b750d0e6c3b\n\nN/A\n\nSQLi - String Concatenation - Headers\n\nLog\n\nBlock\n\nThis is a new detection.(Former Id was 380099df2bb2469c91ebbb7b846d1940 )\n\nCloudflare Managed Ruleset\n\nc46d9097c9ef419aa4d9f10626cc211f\n\nN/A\n\nSQLi - String Concatenation - URI\n\nLog\n\nBlock\n\nThis is a new detection. (Former Id was bd19397228404b85aa3797238fae8c84 )\n\nCloudflare Managed Ruleset\n\n6542d36980cf4018b4d5e2bfeacc78ab\n\nN/A\n\nSQLi - SELECT Expression - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - SELECT Expression - Body\" (ID: 00da180570d34b5bae2121acd0023a36 ). The rule previously known as \"SQLi - SELECT Expression\" is now renamed to \"SQLi - SELECT Expression - Body\".\n\nCloudflare Managed Ruleset\n\n4073f7b575ff45dfb7621b43630bb223\n\nN/A\n\nSQLi - SELECT Expression - Headers\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n2721e3184d50466ea637e9afdcd6efb5\n\nN/A\n\nSQLi - SELECT Expression - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n7ecca84c08aa4aad9b5a7bda18c47cea\n\nN/A\n\nSQLi - ORD and ASCII - Beta\n\nLog\n\nBlock\n\nThis is a new detection. This rule is merged into the original rule \"SQLi - ORD and ASCII- Body\" (ID: 2fc38b34a9d744d2a3cbcc41d0d207f9 ). The rule previously known as \"SQLi - ORD and ASCII\" is now renamed to \"SQLi - ORD and ASCII- Body\".\n\nCloudflare Managed Ruleset\n\nf6d10e10c9514eb49dcc2122bdb1618f\n\nN/A\n\nSQLi - ORD and ASCII - URI\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n60704f5c5513425c94cf77031d0906b6\n\nN/A\n\nSQLi - ORD and ASCII - Headers\n\nLog\n\nBlock\n\nThis is a new detection.\n\nCloudflare Managed Ruleset\n\n700613b191d3479ea2782b4e9fe4eff5\n\nN/A\n\nSQLi - Destructive Operations\n\nLog\n\nBlock\n\nThis is a new detection.","publishedAt":"2026-04-27T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-04-27-waf-release/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":7307,"contentTokens":2319,"composition":null},{"id":"rel_5Bg8VRcHrDnjz6aIPCJKa","version":null,"type":"feature","title":"Security Center - Unified workspace for Brand Protection","summary":"We have introduced a unified investigation workspace within Brand Protection to help analysts manage complex brand portfolios. Instead of jumping betw...","titleGenerated":null,"titleShort":null,"content":"We have introduced a unified investigation workspace within Brand Protection to help analysts manage complex brand portfolios. Instead of jumping between individual queries, you can now consolidate your workflow into a single, cohesive view.\n\n#### What's new\n\n- You can now elect multiple saved queries from your dashboard to generate a consolidated \"Combined Matches\" view. This allows you to triage results from different brand queries in one unified table\n- You can open query extended views in distinct tabs within the Brand Protection dashboard. This enables you to maintain multiple investigation contexts simultaneously and switch between them without losing your place.\n- You can reset your workspace using the new \"Clear Selection\" action, making it easier to pivot between different investigation sets.\n\n#### Key benefits\n\n- Eliminate fragmented workflows by viewing all matches across different query buckets in a single table, reducing the need to click through dozens of individual query pages\n- Correlate related campaigns by seeing similar domains or infrastructure patterns that appear across multiple saved queries\n\nLearn more in our [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/).","publishedAt":"2026-04-27T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-04-27-unified-workspace-brand-protection/","media":[],"prerelease":false,"source":{"slug":"cloudflare-application-security","name":"Application Security Changelog","type":"feed"},"product":{"slug":"application-security","name":"Application Security"},"groupSlug":"application-security","groupName":"Application Security","coverageCount":0,"contentChars":1253,"contentTokens":215,"composition":null}],"pagination":{"nextCursor":"2026-04-27T00:00:00.000Z|2026-06-19T21:06:31.092Z|rel_5Bg8VRcHrDnjz6aIPCJKa","limit":20}}