releases.shpreview
CloudflareCloudflare/Application Security

WAF - WAF Release - 2026-05-04

May 4, 2026Application Security ChangelogView original ↗

This week's release focuses on new detections to expand coverage across command injection, SQL injection, PHP object injection, remote code execution, and XSS attack vectors.

Key Findings

  • Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

Continuous Rule Improvements

We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.

Ruleset

Rule ID

Legacy Rule ID

Description

Previous Action

New Action

Comments

Cloudflare Managed Ruleset

607ec27233b54beb8b89386ef0884a68

N/A

XSS, HTML Injection - Object Tag - Body (beta)

Log

Block

This is a new detection. This rule is merged into the original rule "XSS, HTML Injection - Object Tag" (ID: e9e3ac45a6d842f1a132fbf70c14e284 ).

Cloudflare Managed Ruleset

0087c27420c54168a10bc05eff012303

N/A

XSS, HTML Injection - Object Tag - Headers

Log

Block

This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - Headers (beta)" is now renamed to "XSS, HTML Injection - Object Tag - Headers".

Cloudflare Managed Ruleset

38dc97853ebf40ed9476ec7816f921d9

N/A

XSS, HTML Injection - Object Tag - URI

Log

Block

This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - URI (beta)" is now renamed to "XSS, HTML Injection - Object Tag - URI".

Cloudflare Managed Ruleset

963cb530f72d4c75b2ae7befdc90d21a

N/A

Command Injection - Generic 9 - Body Vector - Beta

N/A

Disabled

This is a new detection. This rule is merged into the original rule "Command Injection - Generic 9 - Body Vector" (ID: 155bb67d1061479e995a38510677175f )

Cloudflare Managed Ruleset

6ac1b6dfe22449a798cc7021f8960375

N/A

Command Injection - Generic 9 - Header Vector - Beta

N/A

Disabled

This is a new detection. This rule is merged into the original rule "Command Injection - Generic 9 - Header Vector" (ID: b31c34a7b29b4aaf9be6883d1eb7a999 )

Cloudflare Managed Ruleset

47a9b66dd73a4a558590c4bdef47a800

N/A

Command Injection - Generic 9 - URI Vector - Beta

N/A

Disabled

This is a new detection. This rule is merged into the original rule "Command Injection - Generic 9 - URI Vector" (ID: 54ad0465c30d4cd2ac7a707197321c6c )

Cloudflare Managed Ruleset

d2ae4a8093f245a1b9de71bbbeebf804

N/A

Command Injection - Sleep - Body

N/A

Disabled

This is a new detection. The rule previously known as "Command Injection

  • Sleep" is now renamed to "Command Injection - Sleep - Body".

Cloudflare Managed Ruleset

da91868c0d3d44afb846e7830d257566

N/A

Command Injection - Sleep - Headers

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

04863c61e982464b91778f051856fe86

N/A

Command Injection - Sleep - URI

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

9dc1a0b8dbb7425db619309be6e43c37

N/A

Fortinet FortiSandbox - Command Injection - CVE:CVE-2026-39808

Log

Block

This is a new detection.

Cloudflare Managed Ruleset

b84c10f5a8f84800905932dc88118795

N/A

Remote Code Execution - Common Bash Bypass - Headers

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

f496c40011f14bfdb5f55ec79299d53b

N/A

Remote Code Execution - Common Bash Bypass - URI

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

a5f75abac2664554a984d061b0bf33f9

N/A

Remote Code Execution - Common Bash Bypass - Body - Beta

N/A

Disabled

This is a new detection. This rule is merged into the original rule "Remote Code Execution - Common Bash Bypass Body" (ID: 6e2f7a696ea74c979e7d069cefb7e5b9 ). The rule previously known as "Remote Code Execution - Common Bash Bypass Beta" is now renamed to "Remote Code Execution - Common Bash Bypass Body".

Cloudflare Managed Ruleset

bbb31a886ab54f6c8cdd220d33bfe8b9

N/A

PHP Object Injection - 2 - Body - Beta

N/A

Disabled

This is a new detection. This rule is merged into the original rule "PHP Object Injection - 2" (ID: 8ef3c3f91eef46919cc9cb6d161aafdc )

Cloudflare Managed Ruleset

e199688ab69746c88c33457f29552387

N/A

PHP Object Injection - 2 - Headers

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

eb33d40e96c54e929af6ed9c8104f4c5

N/A

PHP Object Injection - 2 - URI

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

76b15b7b122a4be6a40d8aa96a46201e

N/A

SQLi - DROP - 2 - Beta

N/A

Disabled

This is a new detection. This rule is merged into the original rule "SQLi - DROP - 2" (ID: a967a167874b42b6898be46e48ac2221 )

Cloudflare Managed Ruleset

e24b2ef4a5c54f97a62db7a68b7f85ee

N/A

SQLi - DROP - 2 - Headers

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

51123f35f1d249358aea8fb11546b5f0

N/A

SQLi - DROP - 2 - URI

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

d86d8873310d41f2877458a91e053dce

N/A

SmarterMail - Remote Code Execution - CVE:CVE-2026-24423

Log

Block

This is a new detection.

Cloudflare Managed Ruleset

00da180570d34b5bae2121acd0023a36

N/A

SQLi - SELECT Expression - Body

Block

Disabled

Action changed

Cloudflare Managed Ruleset

c46d9097c9ef419aa4d9f10626cc211f

N/A

SQLi - String Concatenation - URI

Block

Disabled

Action changed

Fetched June 19, 2026