releases.shpreview
CloudflareCloudflare/Application Security

WAF - WAF Release - 2026-06-09

June 9, 2026Application Security ChangelogView original ↗

This release introduces new detections for a critical SQL injection vulnerability in Drupal installations utilizing PostgreSQL (CVE-2026-9082), alongside targeted protection for an unsafe deserialization flaw in the Mirasvit Cache Warmer extension (CVE-2026-45247). Additionally, this release includes coverage for a prototype pollution vector in Axios (CVE-2026-40175) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic.

Key Findings

  • CVE-2026-9082: A database abstraction vulnerability affects Drupal sites configured with a PostgreSQL backend. Remote, unauthenticated attackers can exploit this flaw via crafted inputs to inject malicious SQL commands and access or manipulate backend data.

  • CVE-2026-45247: A PHP Object Injection vulnerability exists in the Mirasvit Cache Warmer extension for Magento and Adobe Commerce. This flaw stems from unsafe deserialization of untrusted user input, enabling unauthenticated attackers to execute arbitrary code on the hosting server.

  • CVE-2026-40175: A prototype pollution vulnerability affects the Axios HTTP client library. Attackers can exploit this to inject malicious properties into the global JavaScript object prototype, potentially causing application crashes (Denial of Service) or executing unauthorized code depending on the application structure.

Impact

Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code, manipulate database contents, or induce application crashes, leading to severe operational disruption or complete server compromise. These newly deployed signatures intercept these advanced malicious payloads at the edge before they can interact with vulnerable software configurations.

Ruleset

Rule ID

Legacy Rule ID

Description

Previous Action

New Action

Comments

Cloudflare Managed Ruleset

b4f88cb767874def810edd0b387cf935

N/A

Axios - Prototype Pollution - CVE:CVE-2026-40175

Log

Block

This is a new detection.

Cloudflare Managed Ruleset

098997bb8b5f48abb4039bd6417eb9e0

N/A

Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - Body

Log

Block

This is a new detection.

Cloudflare Managed Ruleset

8a7650b99ec04a91a19b8295fd3857fd

N/A

Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - URI

Log

Block

This is a new detection.

Cloudflare Managed Ruleset

525c0871787840e6a6193f6caee241d2

N/A

SQLi - Obfuscated Boolean - Body

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

1ec4aeaf7900463397b82b35d8620070

N/A

SQLi - Obfuscated Boolean - Headers

N/A

Disabled

This is a new detection.

Cloudflare Managed Ruleset

fb74766654c44ff2a5204dc4e0be4d47

N/A

Mirasvit Cache Warmer - PHP Object Injection - CVE:CVE-2026-45247

N/A

Block

This is a new detection.

Fetched June 19, 2026