releases.shpreview
CloudflareCloudflare/Application Security

WAF - WAF Release - 2026-06-15

June 15, 2026Application Security ChangelogView original ↗

This week's release introduces new managed protection to address a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic. These rules protect affected installations from unauthorized data exfiltration at the network edge.

Key Findings

  • CVE-2026-26980: A blind SQL injection vulnerability in the Ghost CMS Content API (versions 3.24.0 to 6.19.0) allows unauthenticated remote attackers to inject malicious SQL commands via query parameters due to improper input validation.

Ruleset

Rule ID

Legacy Rule ID

Description

Previous Action

New Action

Comments

Cloudflare Managed Ruleset

439c4ef64b32447989bdf412b4c29bc6

N/A

Ghost CMS - SQLi - CVE:CVE-2026-26980

Log

Block

This is a new detection.

Cloudflare Managed Ruleset

6c64b68ef5ed45e7a622cdaab56f403f

N/A

SQLi - Obfuscated Boolean - URI

Log

Disabled

This is a new detection.

Fetched June 19, 2026