Application Security Updates & Release Notes

This emergency release introduces two new rules to detect nginx heap buffer overflow and heap spray exploitation attempts targeting the rewrite module's is_args stale-state bug (CVE-2026-42945).

Key Findings

CVE-2026-42945: nginx Heap Buffer Overflow via Stale is_args in Rewrite Module

Successful exploitation allows remote attackers to trigger a heap buffer overflow in nginx's rewrite module by sending crafted URIs containing escapable characters. A length/copy pass mismatch in ngx_http_script_copy_capture_code() causes the copy pass to write escaped data into an undersized buffer, leading to heap corruption. This enables denial of service (worker process crash) and, with heap feng shui techniques, potential remote code execution.

We strongly recommend upgrading to nginx 1.30.1 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, avoid rewrite directives with ? in the replacement string followed by set or if referencing capture groups.

Ruleset

Rule ID

Legacy Rule ID

Description

Previous Action

New Action

Comments

Cloudflare Managed Ruleset

2013e3e58efe4b79a26e214f7e52be73

N/A

nginx - Remote Code Execution - Buffer Overread - CVE:CVE-2026-42945

N/A

Block

This is a new detection.

Cloudflare Managed Ruleset

68226e83a4d14ee9a9c878469df0ee6c

N/A

nginx - Remote Code Execution - Heap Spray - CVE:CVE-2026-42945

N/A

Block

This is a new detection.

Original source

Key Findings

Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

Continuous Rule Improvements

We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.

Ruleset

Rule ID

Legacy Rule ID

Description

Previous Action

New Action

Comments

Cloudflare Managed Ruleset

23ac4a9e53f94467ba470c9468b3c389

N/A

Remote Code Execution - Java Deserialization - Body - Beta

Block

Disabled

This is a new detection. This rule is merged into the original rule "Remote Code Execution - Java Deserialization" (ID: 36b0532eb3c941449afed2d3744305c4 ).

Original source

You can now export your Requests for Information (RFI) history to a CSV document and customize your dashboard view by choosing how many RFI records to load per page.

Why this matters

These quality-of-life updates focus on data portability and dashboard performance, allowing power users to manage high volumes of requests more efficiently:

• The new CSV export allows you to move RFI data into external tools for custom reporting, internal auditing, or cross-referencing with other security projects without manual data entry
• With adjustable page density, you can now choose to load more records at once (10, 25 or 50) to scan through history faster

Cloudforce One subscribers can find these new options in Cloudflare Dashboard > Application Security > Threat Intelligence > Requests for Information.

Original source

This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-44575).

Key Findings

CVE-2026-44575: Next.js Middleware / Proxy Bypass in App Router Applications via Segment-Prefetch Routes

Successful exploitation allows unauthenticated attackers to bypass middleware or proxy-based authorization checks in affected Next.js App Router applications. This leads to unauthorized access to protected content, potential exposure of sensitive application data, and compromise of application security boundaries.

We strongly recommend upgrading to Next.js 15.5.16 or 16.2.5 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

Ruleset

Rule ID
Legacy Rule ID
Description
Previous Action
New Action
Comments
Cloudflare Managed Ruleset
1de95bf6d6374e1099854278e77e4a53
N/A
Next.js - Middleware Bypass via Invalid RSC Header - CVE:CVE-2026-44575
N/A
Disabled
This is a new detection.

Original source

The Cloudforce One Threat Events API now supports TAXII as an output format, enabling standardized, automated sharing of cyber threat intelligence with your existing security stack.

Why this matters

You can now ingest Cloudforce One threat data directly into your SIEM, TIP or SOAR tools that prefer TAXII-formatted streams without needing custom translation scripts.

By supporting the TAXII format parameter in our API, security teams can automate the synchronization of indicator data, reducing the manual overhead of updating blocklists and detection rules.

This alignment with industry standards ensures that your threat data remains consistent across different security ecosystems and partner integrations.

How to use it

When calling the Threat Events API, you can now specify taxii in the format query parameter:

GET /accounts/{account_id}/cloudforce_one/threat_events?format=taxii

You can find the updated documentation in the Cloudflare API Reference.

Original source

This week's release focuses on new detections to expand coverage across command injection, SQL injection, PHP object injection, remote code execution, and XSS attack vectors.

Key Findings

Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

Continuous Rule Improvements

We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.

Ruleset

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 607ec27233b54beb8b89386ef0884a68 N/A XSS, HTML Injection - Object Tag - Body (beta) Log Block This is a new detection. This rule is merged into the original rule "XSS, HTML Injection - Object Tag" (ID: e9e3ac45a6d842f1a132fbf70c14e284 ). Cloudflare Managed Ruleset 0087c27420c54168a10bc05eff012303 N/A XSS, HTML Injection - Object Tag - Headers Log Block This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - Headers (beta)" is now renamed to "XSS, HTML Injection - Object Tag - Headers". Cloudflare Managed Ruleset 38dc97853ebf40ed9476ec7816f921d9 N/A XSS, HTML Injection - Object Tag - URI Log Block This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - URI (beta)" is now renamed to "XSS, HTML Injection - Object Tag - URI". Cloudflare Managed Ruleset 963cb530f72d4c75b2ae7befdc90d21a N/A Command Injection - Generic 9 - Body Vector - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "Command Injection - Generic 9 - Body Vector" (ID: 155bb67d1061479e995a38510677175f ) Cloudflare Managed Ruleset 6ac1b6dfe22449a798cc7021f8960375 N/A Command Injection - Generic 9 - Header Vector - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "Command Injection - Generic 9 - Header Vector" (ID: b31c34a7b29b4aaf9be6883d1eb7a999 ) Cloudflare Managed Ruleset 47a9b66dd73a4a558590c4bdef47a800 N/A Command Injection - Generic 9 - URI Vector - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "Command Injection - Generic 9 - URI Vector" (ID: 54ad0465c30d4cd2ac7a707197321c6c ) Cloudflare Managed Ruleset d2ae4a8093f245a1b9de71bbbeebf804 N/A Command Injection - Sleep - Body N/A Disabled This is a new detection. The rule previously known as "Command Injection Sleep" is now renamed to "Command Injection - Sleep - Body". Cloudflare Managed Ruleset da91868c0d3d44afb846e7830d257566 N/A Command Injection - Sleep - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset 04863c61e982464b91778f051856fe86 N/A Command Injection - Sleep - URI N/A Disabled This is a new detection. Cloudflare Managed Ruleset 9dc1a0b8dbb7425db619309be6e43c37 N/A Fortinet FortiSandbox - Command Injection - CVE:CVE-2026-39808 Log Block This is a new detection. Cloudflare Managed Ruleset b84c10f5a8f84800905932dc88118795 N/A Remote Code Execution - Common Bash Bypass - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset f496c40011f14bfdb5f55ec79299d53b N/A Remote Code Execution - Common Bash Bypass - URI N/A Disabled This is a new detection. Cloudflare Managed Ruleset a5f75abac2664554a984d061b0bf33f9 N/A Remote Code Execution - Common Bash Bypass - Body - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "Remote Code Execution - Common Bash Bypass Body" (ID: 6e2f7a696ea74c979e7d069cefb7e5b9 ). The rule previously known as "Remote Code Execution - Common Bash Bypass Beta" is now renamed to "Remote Code Execution - Common Bash Bypass Body". Cloudflare Managed Ruleset bbb31a886ab54f6c8cdd220d33bfe8b9 N/A PHP Object Injection - 2 - Body - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "PHP Object Injection - 2" (ID: 8ef3c3f91eef46919cc9cb6d161aafdc ) Cloudflare Managed Ruleset e199688ab69746c88c33457f29552387 N/A PHP Object Injection - 2 - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset eb33d40e96c54e929af6ed9c8104f4c5 N/A PHP Object Injection - 2 - URI N/A Disabled This is a new detection. Cloudflare Managed Ruleset 76b15b7b122a4be6a40d8aa96a46201e N/A SQLi - DROP - 2 - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "SQLi - DROP - 2" (ID: a967a167874b42b6898be46e48ac2221 ) Cloudflare Managed Ruleset e24b2ef4a5c54f97a62db7a68b7f85ee N/A SQLi - DROP - 2 - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset 51123f35f1d249358aea8fb11546b5f0 N/A SQLi - DROP - 2 - URI N/A Disabled This is a new detection. Cloudflare Managed Ruleset d86d8873310d41f2877458a91e053dce N/A SmarterMail - Remote Code Execution - CVE:CVE-2026-24423 Log Block This is a new detection. Cloudflare Managed Ruleset 00da180570d34b5bae2121acd0023a36 N/A SQLi - SELECT Expression - Body Block Disabled Action changed Cloudflare Managed Ruleset c46d9097c9ef419aa4d9f10626cc211f N/A SQLi - String Concatenation - URI Block Disabled Action changed Original source

Announcement Date

Release Date

Release Behavior

Legacy Rule ID

Rule ID

Description

Comments

2026-05-04

2026-05-11

Disabled

N/A

23ac4a9e53f94467ba470c9468b3c389

Remote Code Execution - Java Deserialization - Body - Beta

This is a new detection. This rule will be merged into the original rule "Remote Code Execution - Java Deserialization" (ID: 36b0532eb3c941449afed2d3744305c4)

2026-05-04

2026-05-11

Disabled

N/A

08dc41aba360462497aed46b519e9982

Remote Code Execution - Java Deserialization - Headers

This is a new detection.

2026-05-04

2026-05-11

Disabled

N/A

f9a1690105e44d08a74762467fe726a2

Remote Code Execution - Java Deserialization - URI

This is a new detection.

Original source

This emergency release introduces a new rule to block a cPanel & WHM Authentication Bypass related to CVE-2026-41940.

Key Findings

CVE-2026-41940: A critical authentication bypass vulnerability in cPanel & WHM allows unauthenticated remote attackers to bypass authentication mechanisms and gain unauthorized administrative access to the web hosting control panel. This vulnerability affects the session validation logic, enabling attackers to craft malicious requests that circumvent normal authentication checks.

Impact

Successful exploitation allows unauthenticated attackers to gain administrative control over affected cPanel & WHM installations. This leads to complete server compromise, potential theft or manipulation of hosted data, and significant service disruption across managed environments.

We strongly recommend applying official vendor patches for cPanel & WHM immediately to address the underlying vulnerability.

Ruleset

Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset fb29b1b660864285a5ebac86eb2b9e2f N/A cPanel - Auth Bypass - CVE:CVE-2026-41940 N/A Block This is a new detection. Original source

Key Findings

This week's release focuses on new improvements to enhance coverage.

Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

Continuous Rule Improvements

We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.

Ruleset

Rule ID

Legacy Rule ID

Description

Previous Action

New Action

Comments

Cloudflare Managed Ruleset
d866f980582748568385b94480cec1dd
N/A
PostgreSQL - SQLi - COPY - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "PostgreSQL - SQLi - COPY - Body (ID: 705a6b5569d5472596910e3ce7265a4e ). The rule previously known as "PostgreSQL - SQLi - COPY" is now renamed to "PostgreSQL - SQLi - COPY - Body".

Cloudflare Managed Ruleset
71d133c374d94559aa9fdf042903de89
N/A
PostgreSQL - SQLi - COPY - Headers
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
9f1b1b7fd28a401b9d5c172d1036cfa6
N/A
PostgreSQL - SQLi - COPY - URI
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
8e40416659334b8ba789365755ff389e
N/A
SQLi - AND/OR MAKE_SET/ELT - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "SQLi - AND/OR MAKE_SET/ELT - Body" (ID: 0f41a593c8fe42c38a26f709252d3934 ). The rule previously known as "SQLi - AND/OR MAKE_SET/ELT" is now renamed to "SQLi - AND/OR MAKE_SET/ELT - Body".

Cloudflare Managed Ruleset
1e0d4372ee1e41b9804b2d5c346487f9
N/A
SQLi - AND/OR MAKE_SET/ELT - Headers
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
d2c961a164a64cf6b871c9511ac6ceca
N/A
SQLi - AND/OR MAKE_SET/ELT - URI
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
4dacc0e6f32d4c5da3c2293edd471337
N/A
SQLi - Common Patterns - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "SQLi - Common Patterns - Body" (ID: 98f746d07a6d48ab9dae669acb5d0b9b ). The rule previously known as "SQLi - Common Patterns" is now renamed to "SQLi - Common Patterns - Body".

Cloudflare Managed Ruleset
53a374379f2e41e9934791c1975c07b7
N/A
SQLi - Common Patterns - Headers
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
9efedebfc371443f9fe7308605b1b06b
N/A
SQLi - Common Patterns - URI
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
d53a791496d64700870334f4dd0ba3c7
N/A
SQLi - Equation - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "SQLi - Equation - Body" (ID: e7691e1e4f4d4769909f3df6c2eb3e7f ). The rule previously known as "SQLi - Equation" is now renamed to "SQLi - Equation - Body".

Cloudflare Managed Ruleset
46efbd3496e64c3f902ad33d3d1c2384
N/A
SQLi - Equation - Headers
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
46b937649a424b7ead90f6d0e1149ea6
N/A
SQLi - Equation - URI
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
04d9182545f54ba8a4fa29fe205adbb0
N/A
SQLi - AND/OR Digit Operator Digit - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "SQLi - AND/OR Digit Operator Digit - Body" (ID: 762dd334ed0b4273816e3ff13893c564 ). The rule previously known as "SQLi - AND/OR Digit Operator Digit" is now renamed to "SQLi - AND/OR Digit Operator Digit - Body".

Cloudflare Managed Ruleset
a24e7c15503948bc8766481aad2abbaa
N/A
SQLi - AND/OR Digit Operator Digit - Headers
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
0c55eb362df64f92a85aa46753acbc0d
N/A
SQLi - AND/OR Digit Operator Digit - URI
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
18c9879b7e184c559d23c1652b45a97d
N/A
SQLi - Benchmark Function - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "SQLi - Benchmark Function - Body" (ID: ac4e9ebfb43a4f3998f6072d2ebc44ad ). The rule previously known as "SQLi - Benchmark Function" is now renamed to "SQLi - Benchmark Function - Body".

Cloudflare Managed Ruleset
2adbc36c52324efcb4681b829889aadc
N/A
SQLi - Benchmark Function - Headers
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
69564af3bc54406080deed72491b28e9
N/A
SQLi - Benchmark Function - URI
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
94b1646f0b0b46ec9b96f7742aa649de
N/A
SQLi - Comparison - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "SQLi - Comparison - Body" (ID: 8166da327a614849bfa29317e7907480 ). The rule previously known as "SQLi - Comparison" is now renamed to "SQLi - Comparison - Body".

Cloudflare Managed Ruleset
455ce87681bd4200bf53456c39e3e013
N/A
SQLi - Comparison - Headers
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
8152816062ed47f69be0f907f4bdb492
N/A
SQLi - Comparison - URI
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
d5afd403a0544248b829fe5da1ff3b34
N/A
SQLi - String Concatenation - Body - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "SQLi - String Concatenation - Headers" (ID: 3b0c61407d0b4f7d87e516472116d2fe ).The rule previously known as "SQLi - String Concatenation - Headers" is now renamed to "SQLi - String Concatenation - Body".

Cloudflare Managed Ruleset
cb0ec290ee454138abe18b750d0e6c3b
N/A
SQLi - String Concatenation - Headers
Log
Block
This is a new detection.(Former Id was 380099df2bb2469c91ebbb7b846d1940 )

Cloudflare Managed Ruleset
c46d9097c9ef419aa4d9f10626cc211f
N/A
SQLi - String Concatenation - URI
Log
Block
This is a new detection. (Former Id was bd19397228404b85aa3797238fae8c84 )

Cloudflare Managed Ruleset
6542d36980cf4018b4d5e2bfeacc78ab
N/A
SQLi - SELECT Expression - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "SQLi - SELECT Expression - Body" (ID: 00da180570d34b5bae2121acd0023a36 ). The rule previously known as "SQLi - SELECT Expression" is now renamed to "SQLi - SELECT Expression - Body".

Cloudflare Managed Ruleset
4073f7b575ff45dfb7621b43630bb223
N/A
SQLi - SELECT Expression - Headers
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
2721e3184d50466ea637e9afdcd6efb5
N/A
SQLi - SELECT Expression - URI
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
7ecca84c08aa4aad9b5a7bda18c47cea
N/A
SQLi - ORD and ASCII - Beta
Log
Block
This is a new detection. This rule is merged into the original rule "SQLi - ORD and ASCII- Body" (ID: 2fc38b34a9d744d2a3cbcc41d0d207f9 ). The rule previously known as "SQLi - ORD and ASCII" is now renamed to "SQLi - ORD and ASCII- Body".

Cloudflare Managed Ruleset
f6d10e10c9514eb49dcc2122bdb1618f
N/A
SQLi - ORD and ASCII - URI
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
60704f5c5513425c94cf77031d0906b6
N/A
SQLi - ORD and ASCII - Headers
Log
Block
This is a new detection.

Cloudflare Managed Ruleset
700613b191d3479ea2782b4e9fe4eff5
N/A
SQLi - Destructive Operations
Log
Block
This is a new detection.

Original source

Announcement Date

Release Date

Release Behavior

Legacy Rule ID

Rule ID

Description

Comments

2026-04-27
2026-05-04
Disabled
N/A
963cb530f72d4c75b2ae7befdc90d21a
Command Injection - Generic 9 - Body Vector - Beta
This is a new detection. This rule will be merged into the original rule
"Command Injection - Generic 9 - Body Vector" (ID:
155bb67d1061479e995a38510677175f )

2026-04-27
2026-05-04
Disabled
N/A
6ac1b6dfe22449a798cc7021f8960375
Command Injection - Generic 9 - Header Vector - Beta
This is a new detection. This rule will be merged into the original rule
"Command Injection - Generic 9 - Header Vector" (ID:
b31c34a7b29b4aaf9be6883d1eb7a999 )

2026-04-27
2026-05-04
Disabled
N/A
47a9b66dd73a4a558590c4bdef47a800
Command Injection - Generic 9 - URI Vector - Beta
This is a new detection. This rule will be merged into the original rule
"Command Injection - Generic 9 - URI Vector" (ID:
54ad0465c30d4cd2ac7a707197321c6c )

2026-04-27
2026-05-04
Disabled
N/A
5f618c47b24449058c305e6547c2132d
Command Injection - Sleep - Beta
This is a new detection. This rule will be merged into the original rule
"Command Injection - Sleep" (ID:
d2ae4a8093f245a1b9de71bbbeebf804 )

2026-04-27
2026-05-04
Disabled
N/A
da91868c0d3d44afb846e7830d257566
Command Injection - Sleep - Headers
This is a new detection.

2026-04-27
2026-05-04
Disabled
N/A
04863c61e982464b91778f051856fe86
Command Injection - Sleep - URI
This is a new detection.

2026-04-27
2026-05-04
Disabled
N/A
9dc1a0b8dbb7425db619309be6e43c37
Fortinet FortiSandbox - Command Injection - CVE:CVE-2026-39808
This is a new detection.

2026-04-27
2026-05-04
Log
N/A
d86d8873310d41f2877458a91e053dce
SmarterMail - Remote Code Execution - CVE:CVE-2026-24423
This is a new detection.

2026-04-27
2026-05-04
Disabled
N/A
51123f35f1d249358aea8fb11546b5f0
SQLi - DROP - 2 - URI
This is a new detection.

2026-04-27
2026-05-04
Disabled
N/A
e24b2ef4a5c54f97a62db7a68b7f85ee
SQLi - DROP - 2 - Headers
This is a new detection.

2026-04-27
2026-05-04
Disabled
N/A
76b15b7b122a4be6a40d8aa96a46201e
SQLi - DROP - 2 - Beta
This is a new detection. This rule will be merged into the original rule
"SQLi - DROP - 2" (ID:
a967a167874b42b6898be46e48ac2221 )

2026-04-27
2026-05-04
Disabled
N/A
eb33d40e96c54e929af6ed9c8104f4c5
PHP Object Injection - 2 - URI
This is a new detection.

2026-04-27
2026-05-04
Disabled
N/A
e199688ab69746c88c33457f29552387
PHP Object Injection - 2 - Headers
This is a new detection.

2026-04-27
2026-05-04
Disabled
N/A
bbb31a886ab54f6c8cdd220d33bfe8b9
PHP Object Injection - 2 - Body - Beta
This is a new detection. This rule will be merged into the original rule
"PHP Object Injection - 2" (ID:
8ef3c3f91eef46919cc9cb6d161aafdc )

2026-04-27
2026-05-04
Disabled
N/A
a5f75abac2664554a984d061b0bf33f9
Remote Code Execution - Common Bash Bypass - Body - Beta
This is a new detection. This rule will be merged into the original rule
"Remote Code Execution - Common Bash Bypass" (ID:
f8238867ed3e4d3a9a7b731a50cec478 )

2026-04-27
2026-05-04
Disabled
N/A
f496c40011f14bfdb5f55ec79299d53b
Remote Code Execution - Common Bash Bypass - URI
This is a new detection.

2026-04-27
2026-05-04
Disabled
N/A
b84c10f5a8f84800905932dc88118795
Remote Code Execution - Common Bash Bypass - Headers
This is a new detection.

2026-04-21
2026-05-04
Log
N/A
607ec27233b54beb8b89386ef0884a68
XSS, HTML Injection - Object Tag - Body (beta)
This is a new detection.

2026-04-21
2026-05-04
Log
N/A
0087c27420c54168a10bc05eff012303
XSS, HTML Injection - Object Tag - Headers (beta)
This is a new detection.

2026-04-21
2026-05-04
Log
N/A
38dc97853ebf40ed9476ec7816f921d9
XSS, HTML Injection - Object Tag - URI (beta)
This is a new detection.

Original source

We have introduced a unified investigation workspace within Brand Protection to help analysts manage complex brand portfolios. Instead of jumping between individual queries, you can now consolidate your workflow into a single, cohesive view.

What's new

• You can now elect multiple saved queries from your dashboard to generate a consolidated "Combined Matches" view. This allows you to triage results from different brand queries in one unified table
• You can open query extended views in distinct tabs within the Brand Protection dashboard. This enables you to maintain multiple investigation contexts simultaneously and switch between them without losing your place.
• You can reset your workspace using the new "Clear Selection" action, making it easier to pivot between different investigation sets.

Key benefits

• Eliminate fragmented workflows by viewing all matches across different query buckets in a single table, reducing the need to click through dozens of individual query pages
• Correlate related campaigns by seeing similar domains or infrastructure patterns that appear across multiple saved queries

Learn more in our Brand Protection documentation.

Original source

Key Findings

This week's release introduces a new detection for a Remote Code Execution (RCE) vulnerability in Apache ActiveMQ (CVE-2026-34197) and an updated signature for Magento 2 - Unrestricted File Upload. Alongside these detections, we are continuing our work on rule refinements to provide deeper security insights for our customers.

Apache ActiveMQ (CVE-2026-34197): A vulnerability in Apache ActiveMQ allows an unauthenticated, remote attacker to execute arbitrary code. This flaw occurs during the processing of specially crafted network packets, leading to potential full system compromise.

Magento 2 - Unrestricted File Upload - 2: This is a follow-up enhancement to our existing protections for Magento and Adobe Commerce.

Impact

Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain full administrative control over affected servers. We strongly recommend applying official vendor patches for Apache ActiveMQ and Magento to address the underlying vulnerabilities.

Continuous Rule Improvements

We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.

Ruleset

Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ff8df24181aa4573a81be531ee159e2e N/A Command Injection - Generic 8 - uri Log Block This is a new detection. Previous description was "Command Injection - Generic 8 - uri - Beta" Cloudflare Managed Ruleset 9429b63c137247faadeb8a29a15308cf N/A Command Injection - Generic 8 - body Disabled Disabled Rule metadata description refined. Previous description was "Command Injection - Generic 8" (ID: 5b3ce84c099040c6a25cee2d413592e2 ) Cloudflare Managed Ruleset 9429b63c137247faadeb8a29a15308cf N/A Command Injection - Generic 8 - body - Beta Disabled Disabled This is a new detection. This rule is merged into the original rule "Command Injection - Generic 8 - body" (ID: 5b3ce84c099040c6a25cee2d413592e2 ) Cloudflare Managed Ruleset 8629bb58defe4193ab4d493c7bd2d8fa N/A MySQL - SQLi - Executable Comment - Body Block Block Rule metadata description refined. Previous description was "MySQL - SQLi - Executable Comment" (ID: 8629bb58defe4193ab4d493c7bd2d8fa ) Cloudflare Managed Ruleset 85aaf5db9e0c4237b87e837e958047ed N/A MySQL - SQLi - Executable Comment - Beta Log Block This is a new detection. This rule is merged into the original rule "MySQL - SQLi - Executable Comment - Body" (ID: 8629bb58defe4193ab4d493c7bd2d8fa ) Cloudflare Managed Ruleset d19cd574c4644952881a6f3a582cc559 N/A MySQL - SQLi - Executable Comment - Headers Log Block This is a new detection. Cloudflare Managed Ruleset 407f9ec8a17348dfba3b9450a16639d3 N/A MySQL - SQLi - Executable Comment - URI Log Block This is a new detection. Cloudflare Managed Ruleset d07e6dbf15664b99b37b0d2544f24211 N/A Magento 2 - Unrestricted file upload - 2 Log Block This is a new detection. Cloudflare Managed Ruleset 26ef21cb197b44fc8a98b7cebf170a17 N/A Apache ActiveMQ - Remote Code Execution - CVE:CVE-2026-34197 Log Block This is a new detection. Cloudflare Managed Ruleset 7f7bc3d28a8e43bf97bd15d68c2ac1a7 N/A SQLi - Sleep Function - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - Sleep Function" (ID: 2c333735f7b24566b17cb64ef77e8d54 ) Cloudflare Managed Ruleset 3872e5638bdf4bf0943a80394dacaeb8 N/A SQLi - Sleep Function - Headers Log Block This is a new detection. Cloudflare Managed Ruleset bebce8fadfa94ccab09eb74fed4c9ece N/A SQLi - Sleep Function - URI Log Block This is a new detection. Cloudflare Managed Ruleset 7a40eed5a8654a50a2598a821dfa64df N/A SQLi - Probing - uri Log Block This is a new detection. Cloudflare Managed Ruleset 15c6b2ce033949b2a1a9f9454c62e2e7 N/A SQLi - Probing - header Log Block This is a new detection. Cloudflare Managed Ruleset fc9d800b7a724181af8d5650aab28ea1 N/A SQLi - Probing - body Disabled Disabled This is a new detection. This rule is merged into the original rule "SQLi - Probing" (ID: 2c20b5e8684043f48620ff77b4026c88 ) Cloudflare Managed Ruleset 945c5aa9f45141dd872d7ec920999be0 N/A SQLi - Probing 2 Disabled Disabled This rule had duplicate detection logic and has been deprecated. Cloudflare Managed Ruleset f1771273700342758e73cf16d7aa0008 N/A SQLi - UNION in MSSQL - Body Disabled Disabled This rule has been renamed to differentiate from "SQLi - UNION in MSSQL" (ID: ef7db598c7654c729d9db56fee5e35fd ) and contains updated rule logic. Cloudflare Managed Ruleset 3ffd242b4ba242ca965022d3a67d8561 N/A SQLi - UNION - 3 Disabled Disabled This rule had duplicate detection logic and has been deprecated. Cloudflare Managed Ruleset 5e69d599ad634c81abe36a5f0af34bba N/A XSS, HTML Injection - Embed Tag - URI Disabled Disabled This is a new detection. Cloudflare Managed Ruleset 2635275641bf44d4bad6a2e170282f38 N/A XSS, HTML Injection - Embed Tag - Headers Log Block This is a new detection. Cloudflare Managed Ruleset b3d033ea9f364574b0a2ec4223f4d718 N/A XSS, HTML Injection - IFrame Tag - Src and Srcdoc Attributes - Headers Log Disabled This is a new detection. Cloudflare Managed Ruleset 76c37816ef5c4997ab2080a36978def1 N/A XSS, HTML Injection - Link Tag - Headers Log Disabled This is a new detection. Cloudflare Managed Ruleset 7d6757e8a28f4853a72b4ce6ebd81645 N/A XSS, HTML Injection - Link Tag - URI Disabled Disabled This is a new detection. Original source

Announcement Date

Release Date

Release Behavior

Legacy Rule ID

Rule ID

Description

Comments

2026-04-21
2026-04-27
Log
N/A
d866f980582748568385b94480cec1dd
PostgreSQL - SQLi - COPY - Beta
This is a new detection. This rule will be merged into the original rule "PostgreSQL - SQLi - COPY" (ID: 705a6b5569d5472596910e3ce7265a4e )

2026-04-21
2026-04-27
Log
N/A
71d133c374d94559aa9fdf042903de89
PostgreSQL - SQLi - COPY - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
9f1b1b7fd28a401b9d5c172d1036cfa6
PostgreSQL - SQLi - COPY - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
700613b191d3479ea2782b4e9fe4eff5
SQLi - Destructive Operations
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
8e40416659334b8ba789365755ff389e
SQLi - AND/OR MAKE_SET/ELT - Beta
This is a new detection. This rule will be merged into the original rule "SQLi - AND/OR MAKE_SET/ELT" (ID: 0f41a593c8fe42c38a26f709252d3934 )

2026-04-21
2026-04-27
Log
N/A
1e0d4372ee1e41b9804b2d5c346487f9
SQLi - AND/OR MAKE_SET/ELT - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
d2c961a164a64cf6b871c9511ac6ceca
SQLi - AND/OR MAKE_SET/ELT - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
4dacc0e6f32d4c5da3c2293edd471337
SQLi - Common Patterns - Beta
This is a new detection. This rule will be merged into the original rule "SQLi - Common Patterns" (ID: 98f746d07a6d48ab9dae669acb5d0b9b )

2026-04-21
2026-04-27
Log
N/A
53a374379f2e41e9934791c1975c07b7
SQLi - Common Patterns - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
9efedebfc371443f9fe7308605b1b06b
SQLi - Common Patterns - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
d53a791496d64700870334f4dd0ba3c7
SQLi - Equation - Beta
This is a new detection. This rule will be merged into the original rule "SQLi - Equation" (ID: e7691e1e4f4d4769909f3df6c2eb3e7f )

2026-04-21
2026-04-27
Log
N/A
46efbd3496e64c3f902ad33d3d1c2384
SQLi - Equation - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
46b937649a424b7ead90f6d0e1149ea6
SQLi - Equation - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
04d9182545f54ba8a4fa29fe205adbb0
SQLi - AND/OR Digit Operator Digit - Beta
This is a new detection. This rule will be merged into the original rule "SQLi - AND/OR Digit Operator Digit" (ID: 762dd334ed0b4273816e3ff13893c564 )

2026-04-21
2026-04-27
Log
N/A
a24e7c15503948bc8766481aad2abbaa
SQLi - AND/OR Digit Operator Digit - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
0c55eb362df64f92a85aa46753acbc0d
SQLi - AND/OR Digit Operator Digit - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
18c9879b7e184c559d23c1652b45a97d
SQLi - Benchmark Function - Beta
This is a new detection. This rule will be merged into the original rule "SQLi - Benchmark Function" (ID: ac4e9ebfb43a4f3998f6072d2ebc44ad )

2026-04-21
2026-04-27
Log
N/A
2adbc36c52324efcb4681b829889aadc
SQLi - Benchmark Function - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
69564af3bc54406080deed72491b28e9
SQLi - Benchmark Function - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
94b1646f0b0b46ec9b96f7742aa649de
SQLi - Comparison - Beta
This is a new detection. This rule will be merged into the original rule "SQLi - Comparison" (ID: 8166da327a614849bfa29317e7907480 )

2026-04-21
2026-04-27
Log
N/A
455ce87681bd4200bf53456c39e3e013
SQLi - Comparison - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
8152816062ed47f69be0f907f4bdb492
SQLi - Comparison - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
d5afd403a0544248b829fe5da1ff3b34
SQLi - String Concatenation - Body - Beta
This is a new detection. This rule will be merged into the original rule "SQLi - String Concatenation - Headers" (ID: 3b0c61407d0b4f7d87e516472116d2fe )

2026-04-21
2026-04-27
Log
N/A
380099df2bb2469c91ebbb7b846d1940
SQLi - String Concatenation - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
bd19397228404b85aa3797238fae8c84
SQLi - String Concatenation - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
6542d36980cf4018b4d5e2bfeacc78ab
SQLi - SELECT Expression - Beta
This is a new detection. This rule will be merged into the original rule "SQLi - SELECT Expression" (ID: 00da180570d34b5bae2121acd0023a36 )

2026-04-21
2026-04-27
Log
N/A
4073f7b575ff45dfb7621b43630bb223
SQLi - SELECT Expression - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
2721e3184d50466ea637e9afdcd6efb5
SQLi - SELECT Expression - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
7ecca84c08aa4aad9b5a7bda18c47cea
SQLi - ORD and ASCII - Beta
This is a new detection. This rule will be merged into the original rule "SQLi - ORD and ASCII" (ID: 2fc38b34a9d744d2a3cbcc41d0d207f9 )

2026-04-21
2026-04-27
Log
N/A
60704f5c5513425c94cf77031d0906b6
SQLi - ORD and ASCII - Headers
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
f6d10e10c9514eb49dcc2122bdb1618f
SQLi - ORD and ASCII - URI
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
607ec27233b54beb8b89386ef0884a68
XSS, HTML Injection - Object Tag - Body (beta)
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
0087c27420c54168a10bc05eff012303
XSS, HTML Injection - Object Tag - Headers (beta)
This is a new detection.

2026-04-21
2026-04-27
Log
N/A
38dc97853ebf40ed9476ec7816f921d9
XSS, HTML Injection - Object Tag - URI (beta)
This is a new detection.

Original source

Archive and audit security action items

Introducing enhanced archiving capabilities for security action items within the Security Overview dashboard. This update allows security teams to maintain a cleaner workspace by removing resolved, accepted, or irrelevant items from their active list while maintaining a clear paper trail for compliance.

Why this matters

Managing a high volume of security insights can be overwhelming. Previously, users lacked a structured way to dismiss items without losing the context of why they were ignored.

With these new archiving options—False Positive, Accept Risk, and Other—you can now suppress items indefinitely with required rationale text for risk-based decisions. This ensures that your team remains focused on critical, actionable vulnerabilities while preserving institutional knowledge for audits.

Key features

Structured Archiving: Choose from specific categories to define why an action item is being moved.

Required Rationale: For "Accept Risk" and "Other" categories, users must provide documentation, ensuring accountability for security decisions.

Audit Log Transparency: New API endpoints allow you to programmatically retrieve the history of status changes and rationale for any insight at the account or zone level.

Reversible Actions: Any archived item can be moved back to the active list at any time if the security context changes.

Note

Archiving a suspicious activity item will remove it from the Security Overview page, but the activity will remain visible in your Security Analytics dashboard for deeper forensic analysis.

Example: Retrieve audit logs via API

To review the history and rationale of a specific archived issue at the account level, you can use the following API command:

curl "[https://api.cloudflare.com/client/v4/accounts/](https://api.cloudflare.com/client/v4/accounts/){account_id}/insights/{insight_id}/audit-log" \
-H "Authorization: Bearer <API_TOKEN>" \
-H "Content-Type: application/json"

Original source