Releasebot
Create account

Application Security Release Notes

Follow

Last updated: Mar 31, 2026

Get this feed: RSS Email API
  • Mar 30, 2026
    • Date parsed from source:
      Mar 30, 2026
    • First seen by Releasebot:
      Mar 31, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - 2026-03-30

    Application Security adds new detections for a critical Fortinet authentication bypass, targeted protection for Magento and Adobe Commerce file upload flaws, and three generic HTTP Parameter Pollution rules to help block malicious attempts.

    This week's release introduces new detections for a critical authentication bypass vulnerability in Fortinet products (CVE-2025-59718), alongside three new generic detection rules designed to identify and block HTTP Parameter Pollution attempts. Additionally, this release includes targeted protection for a high-impact unrestricted file upload vulnerability in Magento and Adobe Commerce.

    Key Findings

    CVE-2025-59718: An improper cryptographic signature verification vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager. This may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication using a maliciously crafted SAML message, if that feature is enabled on the device.

    Magento 2 - Unrestricted File Upload: A critical flaw in Magento and Adobe Commerce allows unauthenticated attackers to bypass security checks and upload malicious files to the server, potentially leading to Remote Code Execution (RCE).

    Impact

    Successful exploitation of the Fortinet and Magento vulnerabilities could allow unauthenticated attackers to gain administrative control or deploy webshells, leading to complete server compromise and data theft.

    Ruleset

    Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 4f7d513cea424c2a853881982f7f95e9 N/A Generic Rules - Parameter Pollution - Body Log Disabled Cloudflare Managed Ruleset 60d023f3be414d379428add3319731a4 N/A Generic Rules - Parameter Pollution - Header - Form Log Disabled Cloudflare Managed Ruleset 2dde02d792ad41ec8fd65c2bdef262dd N/A Generic Rules - Parameter Pollution - URI Log Disabled Cloudflare Managed Ruleset ab8a96ed13034d56a81a79e570a36147 N/A Magento 2 - Unrestricted file upload Log Block Cloudflare Managed Ruleset 0a13a38dd81c44688950444e2ffcca9f N/A Fortinet FortiCloud SSO - Authentication Bypass - CVE:CVE-2025-59718 Log Block Original source Report a problem
  • Mar 30, 2026
    • Date parsed from source:
      Mar 30, 2026
    • First seen by Releasebot:
      Mar 31, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - Scheduled changes for 2026-04-06

    Application Security adds new detections for command execution, MCP Server remote code execution, XSS, SQLi evasion and UNION and LIKE attacks, plus a SolarWinds auth bypass rule, expanding coverage against common exploitation paths.

    Announcement Date

    Release Date

    Release Behavior

    Legacy Rule ID

    Rule ID

    Description

    Comments

    Announcement Date Release Date Release Behavior Legacy Rule ID Rule ID Description Comments 2026-03-30 2026-04-06 Log N/A 73ae1cf103da4bacaa2e1a610aa410af Generic Rules - Command Execution - 5 - Body This is a new detection. 2026-03-30 2026-04-06 Log N/A a88a85b0cc5a4bc2abead6289131ec2f Generic Rules - Command Execution - 5 - Header This is a new detection. 2026-03-30 2026-04-06 Log N/A 28518cdc40544979bbd86720551eb9e5 Generic Rules - Command Execution - 5 - URI This is a new detection. 2026-03-30 2026-04-06 Log N/A 1177993d53a1467997002b44d46229eb MCP Server - Remote Code Execution - CVE:CVE-2026-23744 This is a new detection. 2026-03-30 2026-04-06 Log N/A 3d43cdfbc3c14584942f8bc4a864b9c2 XSS - OnEvents - Cookies This is a new detection. 2026-03-30 2026-04-06 Log N/A c9dbce2c1da94b24916e37559712a863 SQLi - Evasion - Body This is a new detection. 2026-03-30 2026-04-06 Log N/A 64d812e6d5844d7c9d7a44a440732d48 SQLi - Evasion - Headers This is a new detection. 2026-03-30 2026-04-06 Log N/A 50de9369ef7c45928a5dfb34e68a99b5 SQLi - Evasion - URI This is a new detection. 2026-03-30 2026-04-06 Log N/A 765ffb5c67b94c9589106c843e8143d2 SQLi - LIKE 3 - Body This is a new detection. 2026-03-30 2026-04-06 Log N/A 5c3dbd4f115e47c781491fcd70e7fb97 SSQLi - LIKE 3 - URI This is a new detection. 2026-03-30 2026-04-06 Log N/A 89fa6027a0334949b1cb2e654c538bd9 SQLi - UNION - 2 - Body This is a new detection. 2026-03-30 2026-04-06 Log N/A 05946b3458364f1b9d4819d561c439c9 SQLi - UNION - 2 - URI This is a new detection. 2026-03-30 2026-04-06 Log N/A b2fe5c2a39df4609b6d39908cf33ea10 SolarWinds - Auth Bypass - CVE:CVE-2025-40552 This is a new detection. Original source Report a problem

  • All of your release notes in one feed

    Join Releasebot and get updates from Cloudflare and hundreds of other software products.

    Create account
  • Mar 23, 2026
    • Date parsed from source:
      Mar 23, 2026
    • First seen by Releasebot:
      Mar 25, 2026
    Cloudflare logo

    Application Security by Cloudflare

    API Shield - Web Assets fields now available in GraphQL Analytics API

    Application Security adds two GraphQL Analytics API fields for httpRequestsAdaptive and httpRequestsAdaptiveGroups, exposing matched Web Assets operation IDs and managed labels per request to help troubleshoot security detection verdicts and endpoint matching.

    Two new fields are now available in the httpRequestsAdaptive and httpRequestsAdaptiveGroups GraphQL Analytics API datasets:

    • webAssetsOperationId — the ID of the saved endpoint that matched the incoming request.
    • webAssetsLabelsManaged — the managed labels mapped to the matched operation at the time of the request (for example, cf-llm, cf-log-in). At most 10 labels are returned per request.

    Both fields are empty when no operation matched. webAssetsLabelsManaged is also empty when no managed labels are assigned to the matched operation.

    These fields allow you to determine, per request, which Web Assets operation was matched and which managed labels were active. This is useful for troubleshooting downstream security detection verdicts — for example, understanding why AI Security for Apps did or did not flag a request.

    Refer to Endpoint labeling service for GraphQL query examples.

    Original source Report a problem
  • Mar 23, 2026
    • Date parsed from source:
      Mar 23, 2026
    • First seen by Releasebot:
      Mar 24, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - 2026-03-23

    Application Security improves coverage with new detection resilience for broad web attacks and stronger behavioral coverage, including new Command Injection detections across URI, header, and body vectors plus a merged PHP and file upload rule.

    This week's release focuses on new improvements to enhance coverage.

    Key Findings

    Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

    Ruleset

    Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 54ad0465c30d4cd2ac7a707197321c6c N/A Command Injection - Generic 9 - URI Vector Log Disabled This is a new detection. Cloudflare Managed Ruleset b31c34a7b29b4aaf9be6883d1eb7a999 N/A Command Injection - Generic 9 - Header Vector Log Disabled This is a new detection. Cloudflare Managed Ruleset 155bb67d1061479e995a38510677175f N/A Command Injection - Generic 9 - Body Vector Log Disabled This is a new detection. Cloudflare Managed Ruleset 55fb1c76f0304f6a9d935d03479da68f N/A PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132 (beta) Log Block This rule has been merged into the original rule "PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132" (ID: 0f2da91cec674eb58006929e824b817c ) Original source Report a problem
  • Mar 23, 2026
    • Date parsed from source:
      Mar 23, 2026
    • First seen by Releasebot:
      Mar 24, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - Scheduled changes for 2026-03-30

    Application Security adds new detections for parameter pollution in body, header form, and URI traffic, plus Magento 2 unrestricted file upload and Fortinet FortiCloud SSO authentication bypass coverage.

    Announcement Date

    Release Date

    Release Behavior

    Legacy Rule ID

    Rule ID

    Description

    Comments

    Announcement Date Release Date Release Behavior Legacy Rule ID Rule ID Description Comments 2026-03-23 2026-03-30 Log N/A 4f7d513cea424c2a853881982f7f95e9 Generic Rules - Parameter Pollution - Body This is a new detection. 2026-03-23 2026-03-30 Log N/A 60d023f3be414d379428add3319731a4 Generic Rules - Parameter Pollution - Header - Form This is a new detection. 2026-03-23 2026-03-30 Log N/A 2dde02d792ad41ec8fd65c2bdef262dd Generic Rules - Parameter Pollution - URI This is a new detection. 2026-03-23 2026-03-30 Log N/A ab8a96ed13034d56a81a79e570a36147 Magento 2 - Unrestricted file upload This is a new detection. 2026-03-23 2026-03-30 Log N/A 0a13a38dd81c44688950444e2ffcca9f Fortinet FortiCloud SSO - Authentication Bypass - CVE:CVE-2025-59718 This is a new detection. Original source Report a problem
  • Mar 18, 2026
    • Date parsed from source:
      Mar 18, 2026
    • First seen by Releasebot:
      Mar 18, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Security Center - Real-time logo match preview

    Application Security releases Logo Match Preview, a new feature that adds pre-save visibility for visual assets alongside string queries. Users can upload a brand logo, preview potential matches, tune similarity scores in real time, and review triggered logos before finalizing a query in Brand Protection.

    What’s new

    • Upload your brand logo and immediately see a sample of potential matches from recently detected sites before finalizing the query
    • Adjust your similarity score (from 75% to 100%) and watch the results refresh in real-time to find the balance between broad detection and noise reduction
    • Review the specific logos triggered by your current settings to ensure your query is capturing the right level of brand infringement

    If you are ready to test your brand assets, go to the Brand Protection dashboard to try the new preview tool.

    Original source Report a problem
  • Mar 17, 2026
    • Date parsed from source:
      Mar 17, 2026
    • First seen by Releasebot:
      Mar 18, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Security Overview - New Security Overview UI

    Application Security releases an updated Security Overview that adds actionable insights and a clearer posture view. Highlights include universal criticality ratings for all insights, a new Detection Tools section showing enabled and activatable tools, and an Enterprise Industry Peer Comparison module for benchmarking.

    Security Overview Update

    The Security Overview has been updated to provide Application Security customers with more actionable insights and a clearer view of their security posture.

    Key improvements include:

    • Criticality for all Insights: Every insight now includes a criticality rating, allowing you to prioritize the most impactful security action items first.
    • Detection Tools Section: A new section displays the security detection tools available to you, indicating which are currently enabled and which can be activated to strengthen your defenses.
    • Industry Peer Comparison (Enterprise customers): A new module from Security Reports benchmarks your security posture against industry peers, highlighting relative strengths and areas for improvement.

    For more information, refer to Security Overview.

    Original source Report a problem
  • Mar 16, 2026
    • Date parsed from source:
      Mar 16, 2026
    • First seen by Releasebot:
      Mar 16, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - Scheduled changes for 2026-03-23

    Application Security releases new detections for Command Injection - Generic across URI, Header, and Body vectors, and merges the PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload rule into its original rule set.

    54ad0465c30d4cd2ac7a707197321c6c

    • Announcement Date: 2026-03-16
    • Release Date: 2026-03-23
    • Release Behavior: Log
    • Legacy Rule ID: N/A
    • Rule ID: 54ad0465c30d4cd2ac7a707197321c6c
    • Description: Command Injection - Generic 9 - URI Vector
    • Comments: This is a new detection.

    b31c34a7b29b4aaf9be6883d1eb7a999

    • Announcement Date: 2026-03-16
    • Release Date: 2026-03-23
    • Release Behavior: Log
    • Legacy Rule ID: N/A
    • Rule ID: b31c34a7b29b4aaf9be6883d1eb7a999
    • Description: Command Injection - Generic 9 - Header Vector
    • Comments: This is a new detection.

    155bb67d1061479e995a38510677175f

    • Announcement Date: 2026-03-16
    • Release Date: 2026-03-23
    • Release Behavior: Log
    • Legacy Rule ID: N/A
    • Rule ID: 155bb67d1061479e995a38510677175f
    • Description: Command Injection - Generic 9 - Body Vector
    • Comments: This is a new detection.

    55fb1c76f0304f6a9d935d03479da68f

    • Announcement Date: 2026-03-16
    • Release Date: 2026-03-23
    • Release Behavior: Log
    • Legacy Rule ID: N/A
    • Rule ID: 55fb1c76f0304f6a9d935d03479da68f
    • Description: PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132 (beta)
    • Comments: This rule will be merged into the original rule "PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132" (ID: 0f2da91cec674eb58006929e824b817c )
    Original source Report a problem
  • Mar 12, 2026
    • Date parsed from source:
      Mar 12, 2026
    • First seen by Releasebot:
      Mar 12, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - 2026-03-12 - Emergency

    Cloudflare unveils this weekly release with new detections for Ivanti Endpoint Manager Mobile CVE-2026-1281 and CVE-2026-1340, plus a generic rule to block XSS in the Content-Security-Policy header. The updates broaden protection against unauthenticated RCE and CSP header abuse, via two new Cloudflare Managed Ruleset detections.

    This week's release introduces new detections for vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340), alongside a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts within the Content-Security-Policy (CSP) HTTP request header.

    Key Findings

    CVE-2026-1281 & CVE-2026-1340: Ivanti Endpoint Manager Mobile processes HTTP requests through Apache RevwriteMap directives that pass user-controlled input to Bash scripts (/mi/bin/map-appstore-url and /mi/bin/map-aft-store-url). Bash scripts do not sanitize user input and are vulnerable to shell arithmetic expansion thereby allowing attackers to achieve unauthenticated remote code execution.

    Generic XSS in CSP Header: This rule identifies malicious payloads embedded within the request's Content-Security-Policy header. It specifically targets scenarios where web frameworks or applications trust and extract values directly from the CSP header in the incoming request without sufficient validation. Attackers can provide crafted header values to inject scripts or malicious directives that are subsequently processed by the server.

    Impact

    Successful exploitation of Ivanti EPMM vulnerability allows unauthenticated remote code execution and generic XSS in CSP header allows attackers to inject malicious scripts during page rendering. In environments using server-side caching, this poisoned XSS content can subsequently be cached and automatically served to all visitors.

    Ruleset

    Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 5ae86a9bda0c41dbb905132f796ea2f6 Ivanti EPMM - Code Injection - CVE:CVE-2026-1281 CVE:CVE-2026-1340 Log Block This is a new detection. Cloudflare Managed Ruleset 35978af68e374a059e397bf5ee964a8c Anomaly:Header:Content-Security-Policy N/A Block This is a new detection. Original source Report a problem
  • Mar 9, 2026
    • Date parsed from source:
      Mar 9, 2026
    • First seen by Releasebot:
      Mar 11, 2026
    Cloudflare logo

    Application Security by Cloudflare

    API Shield - New Vulnerability Scanner for API Shield

    Cloudflare unveils Open Beta of Web and API Vulnerability Scanner for API Shield customers. This stateful DAST tool finds logic flaws like BOLA by building API call graphs and testing owner vs attacker contexts with real HTTP requests. Access via the Cloudflare API; dashboard coming in a future release.

    Introducing Cloudflare's Web and API Vulnerability Scanner (Open Beta)

    Cloudflare is launching the Open Beta of the Web and API Vulnerability Scanner for all API Shield customers. This new, stateful Dynamic Application Security Testing (DAST) platform helps teams proactively find logic flaws in their APIs. The initial release focuses on detecting Broken Object Level Authorization (BOLA) vulnerabilities by building API call graphs to simulate attacker and owner contexts, then testing these contexts by sending real HTTP requests to your APIs. The scanner is now available via the Cloudflare API. To scan, set up your target environment, owner and attacker credentials, and upload your OpenAPI file with response schemas. The scanner will be available in the Cloudflare dashboard in a future release. Access: This feature is only available to API Shield subscribers via the Cloudflare API. We hope you will use the API for programmatic integration into your CI/CD pipelines and security dashboards. Documentation: Refer to the developer documentation to start scanning your endpoints today.

    Original source Report a problem

Related products