WAF Release - 2026-05-04
This week's release focuses on new detections to expand coverage across command injection, SQL injection, PHP object injection, remote code execution, and XSS attack vectors.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
Continuous Rule Improvements
We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Object Tag - Body (beta) | Log | Block | This is a new detection. This rule is merged into the original rule
"XSS, HTML Injection - Object Tag" (ID:
| |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Object Tag - Headers | Log | Block | This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - Headers (beta)" is now renamed to "XSS, HTML Injection - Object Tag - Headers". | |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Object Tag - URI | Log | Block | This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - URI (beta)" is now renamed to "XSS, HTML Injection - Object Tag - URI". | |
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 9 - Body Vector - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"Command Injection - Generic 9 - Body Vector" (ID:
| |
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 9 - Header Vector - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"Command Injection - Generic 9 - Header Vector" (ID:
| |
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 9 - URI Vector - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"Command Injection - Generic 9 - URI Vector" (ID:
| |
| Cloudflare Managed Ruleset | N/A | Command Injection - Sleep - Body | N/A | Disabled | This is a new detection. The rule previously known as "Command Injection
| |
| Cloudflare Managed Ruleset | N/A | Command Injection - Sleep - Headers | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Command Injection - Sleep - URI | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Fortinet FortiSandbox - Command Injection - CVE:CVE-2026-39808 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Remote Code Execution - Common Bash Bypass - Headers | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Remote Code Execution - Common Bash Bypass - URI | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Remote Code Execution - Common Bash Bypass - Body - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"Remote Code Execution - Common Bash Bypass Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | PHP Object Injection - 2 - Body - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"PHP Object Injection - 2" (ID:
| |
| Cloudflare Managed Ruleset | N/A | PHP Object Injection - 2 - Headers | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | PHP Object Injection - 2 - URI | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - DROP - 2 - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"SQLi - DROP - 2" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - DROP - 2 - Headers | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - DROP - 2 - URI | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SmarterMail - Remote Code Execution - CVE:CVE-2026-24423 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - SELECT Expression - Body | Block | Disabled | Action changed | |
| Cloudflare Managed Ruleset | N/A | SQLi - String Concatenation - URI | Block | Disabled | Action changed |