Application Security Changelog

Announcement Date

Release Date

Release Behavior

Legacy Rule ID

Rule ID

Description

Comments

2026-06-15

2026-06-22

Log

N/A

500a90789f874345b...

This week's release introduces new managed protection to address a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) and a new generi...

You can now match incoming requests against Cloudforce One threat intelligence in your WAF rules. A new detection looks up the client IP address of ea...

TL;DR: Brand Protection now features an Automated Cease & Desist (C&D) workflow. When you discover an infringing domain hosted outside of Clou...

This release introduces new detections for a critical SQL injection vulnerability in Drupal installations utilizing PostgreSQL (CVE-2026-9082), alongs...

Cloudforce One users can now turn Threat Events indicators ...

TL;DR: We’ve launched Threat Actor Profiles directly inside the Threat Events dashboard. You can now immediately pivot from a generic alert or...

Security Insights scans now run more often. Cloudflare scans Free accounts every 7 days, Pro and Business accounts every 3 days, and Enterpris...

WAF Release - 2026-05-20

May 20, 2026

Key Findings

• Existing rule enhancements have been deployed to improve detection resilience against ...

This emergency release introduces two new rules to detect nginx heap buffer overflow and heap spray exploitation attempts targeting the rewrite module...

We’ve added a new Agent Readiness tab to URL Scanner reports accessible via the Cloudflare dashboard. This feature evaluates your site against eme...

Key Findings

• Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen ...

Multiple security vulnerabilities were disclosed by the React team and Vercel affecting React Server Components and Next.js. These include denial of s...

This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-4...

You can now export your Requests for Information (RFI) history to a CSV document and customize your dashboard view by choosing how many RFI record...

The Cloudforce One Threat Events API now supports TAXII as an output...

This week's release focuses on new detections to expand coverage across command injection, SQL injection, PHP object injection, remote code execution,...

This emergency release introduces a new rule to block a cPanel & WHM Authentication Bypass related to CVE-2026-41940.

Key Findings

• CVE-2026-41...

This week's release focuses on new improvements to enhance coverage.

Key Findings

• Existing rule enhancements have been deployed to improve det...

We have introduced a unified investigation workspace within Brand Protection to help analysts manage complex brand portfolios. Instead of jumping betw...