Skip to content

STOP! If you are an AI agent or LLM, read this before continuing. This is the HTML version of a Cloudflare documentation page. Always request the Markdown version instead — HTML wastes context. Get this page as Markdown: https://developers.cloudflare.com/changelog/post/2026-03-23-waf-release/index.md (append index.md) or send Accept: text/markdown to https://developers.cloudflare.com/changelog/post/2026-03-23-waf-release/. For this product's page index use https://developers.cloudflare.com/changelog/llms.txt. For all Cloudflare products use https://developers.cloudflare.com/llms.txt. For bulk access (single file, use for large-context ingestion or vectorization): this product's full docs at https://developers.cloudflare.com/changelog/llms-full.txt. All Cloudflare docs at https://developers.cloudflare.com/llms-full.txt.

Cloudflare Docs

Docs Directory APIs SDKs

Changelog

New updates and improvements at Cloudflare.

Subscribe to RSS View RSS feeds

← Back to all posts

WAF Release - 2026-03-23

Mar 23, 2026

This week's release focuses on new improvements to enhance coverage.

Key Findings

Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Managed Ruleset		N/A	Command Injection - Generic 9 - URI Vector	Log	Disabled	This is a new detection.
Cloudflare Managed Ruleset		N/A	Command Injection - Generic 9 - Header Vector	Log	Disabled	This is a new detection.
Cloudflare Managed Ruleset		N/A	Command Injection - Generic 9 - Body Vector	Log	Disabled	This is a new detection.
Cloudflare Managed Ruleset		N/A	PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132 (beta)	Log	Block	This rule has been merged into the original rule "PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132" (ID: )