Application Security Updates & Release Notes

Follow

117 updates curated from 1 source by the Releasebot Team. Last updated: Jul 3, 2026

Get this feed:
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Bots - New options to manage AI traffic

    Application Security adds AI crawler controls that let customers manage Search, Agent, and Training traffic separately, including Free plan users. It lets teams block, allow, or limit crawlers by page type, with updated defaults for new domains starting September 15, 2026.

    Not all AI traffic is the same. Now, all customers — including those on the Free plan — can manage AI crawlers based on what they actually do on your site. Cloudflare groups AI traffic into three behaviors you can control independently: Search, Agent, and Training. This lets you keep the automated traffic that sends readers and revenue back to you, while blocking the traffic that only takes from your content.

    Each behavior maps to a real use case. Search covers crawlers that index your content so they can answer questions about it later, where you should expect referral traffic or other equitable compensation in return. Agent covers automated activity acting in real time on a person's behalf, such as chat fetch bots and browser-use agents. Training covers crawlers that take your content to train or fine-tune a model. For each preset you can choose to block on all pages, block only on pages that display ads, or choose not to block.

    Starting September 15, 2026, new domains onboarding to Cloudflare receive updated defaults: Bots classified as Training or as Agent are blocked on pages that display ads, while Search remains allowed. On that date, multi-purpose crawlers that combine Search and Training will be affected by the new defaults to block Training. All customers can opt out of the new defaults at any time before September 15.

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Bots - More visibility into bot traffic with BotBase and Attribution Business Insights

    Application Security introduces BotBase and Attribution Business Insights for Enterprise Bot Management, giving customers a searchable directory of tracked bots and a dashboard to see crawl-to-referral value, bot classifications, and allowed or blocked AI traffic at a glance.

    With Content Independence Day 2026, Enterprise Bot Management customers get two new tools that make bot traffic far easier to see and reason about: BotBase, a searchable directory of every bot Cloudflare tracks, and Attribution Business Insights, a dashboard that shows how much value each crawler sends back to your business.

    BotBase is Cloudflare's directory of all known bots and agents, available directly in the dashboard. It shows how Cloudflare classifies each bot by behavior — Search, Agent, Training, and other categories such as Transact, Data Collection, SEO, and Ads Verification — so you can understand why a given crawler is visiting you. You can search and filter the full catalogue, filter your own traffic down to a single bot to investigate its activity on your zone, and copy any bot's detection ID to target it precisely in Security rules. Every tracked bot in BotBase is also published in Cloudflare Radar's bots and agents directory.

    Attribution Business Insights is built for content owners and business decision-makers who want to know which bots help or harm their business, without reading rule syntax. The dashboard reports crawl-to-referral ratios both site-wide and per bot operator — comparing how often a company crawls your content against how many visitors it actually refers back — over the last 24 hours, 7 days, or 30 days. Each operator is labeled with Cloudflare's updated classification and an action status of Allowed, Blocked, or Partially blocked, giving stakeholders a shared, at-a-glance view of the AI traffic reaching your site.

    Original source
  • All of your release notes in one feed

    Join Releasebot and get updates from Cloudflare and hundreds of other software products.

    Create account
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - 2026-07-01

    Application Security adds targeted coverage for a Fortinet FortiSandbox path traversal flaw and updates the Fake Bing or MSN Bot user-agent rule by changing its action from Block to Disabled.

    This release adds targeted coverage for a path traversal flaw in Fortinet FortiSandbox (CVE-2026-39813) and transitions the Anomaly:Header:User-Agent - Fake Bing or MSN Bot rule action from Block to Disabled.

    Key Findings

    CVE-2026-39813: A path traversal vulnerability in Fortinet FortiSandbox allows remote, unauthenticated attackers to read arbitrary files from the underlying filesystem due to insufficient validation of user-supplied input paths.

    Ruleset

    Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 32075e19b1494117ac5915e8d84c92c9 N/A Fortinet FortiSandbox - Path Traversal - CVE:CVE-2026-39813 Log Block Cloudflare Managed Ruleset ae20608d93b94e97988db1bbc12cf9c8 N/A Anomaly:Header:User-Agent - Fake Bing or MSN Bot Enabled Disabled

    This is a new detection.

    We are changing the action for this rule from BLOCK to Disabled

    Original source
  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jun 23, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - 2026-06-23

    Application Security adds managed protection for a critical pre-authentication OS command injection in Ivanti Sentry, helping stop unauthenticated attackers from running arbitrary system commands with root privileges. The release also adds a new detection that blocks this threat.

    This week's release introduces new managed protection to address a critical pre-authentication OS command injection vulnerability in Ivanti Sentry (CVE-2026-10520).

    Key Findings

    CVE-2026-10520: An OS command injection vulnerability in Ivanti Sentry allows remote, unauthenticated attackers to execute arbitrary system commands with root privileges. The flaw stems from improper sanitization of input strings parsed during internal configuration handling.

    Ruleset

    Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 500a90789f874345b60b0de7242fdf83 N/A Ivanti Sentry - Command Injection - CVE:CVE-2026-10520 Log Block This is a new detection. Original source
  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jun 23, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - Scheduled changes for 2026-06-29

    Application Security adds new detection for Fortinet FortiSandbox path traversal CVE-2026-39813.

    Announcement Date

    Release Date

    Release Behavior

    Legacy Rule ID

    Rule ID

    Description

    Comments

    2026-06-23

    2026-06-29

    Log

    N/A

    32075e19b1494117ac5915e8d84c92c9

    Fortinet FortiSandbox - Path Traversal - CVE:CVE-2026-39813

    This is a new detection.

    Original source
  • Similar to Application Security with recent updates:

  • Jun 15, 2026
    • Date parsed from source:
      Jun 15, 2026
    • First seen by Releasebot:
      Jun 17, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - 2026-06-15

    Application Security adds managed protection for a critical Ghost CMS SQL injection vulnerability and introduces a new generic rule to detect and block sophisticated SQLi bypass attempts using obfuscated boolean logic, helping protect affected sites at the edge.

    This week's release introduces new managed protection to address a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic. These rules protect affected installations from unauthorized data exfiltration at the network edge.

    Key Findings

    CVE-2026-26980: A blind SQL injection vulnerability in the Ghost CMS Content API (versions 3.24.0 to 6.19.0) allows unauthenticated remote attackers to inject malicious SQL commands via query parameters due to improper input validation.

    Ruleset

    Rule ID
    Legacy Rule ID
    Description
    Previous Action
    New Action
    Comments

    Cloudflare Managed Ruleset
    439c4ef64b32447989bdf412b4c29bc6
    N/A
    Ghost CMS - SQLi - CVE:CVE-2026-26980
    Log
    Block
    This is a new detection.

    Cloudflare Managed Ruleset
    6c64b68ef5ed45e7a622cdaab56f403f
    N/A
    SQLi - Obfuscated Boolean - URI
    Log
    Disabled
    This is a new detection.

    Original source
  • Jun 15, 2026
    • Date parsed from source:
      Jun 15, 2026
    • First seen by Releasebot:
      Jun 17, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - Scheduled changes for 2026-06-22

    Application Security adds new detection for Ivanti Sentry command injection CVE-2026-10520.

    Announcement Date

    2026-06-15

    Release Date

    2026-06-22

    Release Behavior

    Log

    Legacy Rule ID

    N/A

    Rule ID

    500a90789f874345b60b0de7242fdf83

    Description

    Ivanti Sentry - Command Injection - CVE:CVE-2026-10520

    Comments

    This is a new detection.

    Original source
  • Jun 15, 2026
    • Date parsed from source:
      Jun 15, 2026
    • First seen by Releasebot:
      Jun 16, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - Use Cloudforce One threat intelligence in WAF rules

    Application Security adds Cloudforce One threat intelligence matching to WAF rules, letting customers use client IP lookups in custom and rate limiting rules. It populates cf.intel.ip fields for threat activity and works with the API, Terraform, and Security Analytics.

    You can now match incoming requests against Cloudforce One threat intelligence in your WAF rules.

    A new detection looks up the client IP address of each request against the threat intelligence database. If the IP was involved in threat activity in the past seven days, Cloudflare populates cf.intel.ip.* fields that you can use in custom rules and rate limiting rules.

    The detection populates the following fields. Use the any() function with the [*] wildcard to match array values:

    • cf.intel.ip.datasets — the dataset that flagged the IP address (ddos or waf).
    • cf.intel.ip.target_industries — industries the IP address has targeted.
    • cf.intel.ip.attacker_names — known threat actors associated with the IP address.
    • cf.intel.ip.attacker_countries — source countries of the threat activity.
    • cf.intel.ip.target_countries — countries the IP address has targeted.

    For example, the following custom rule expression blocks requests from IP addresses associated with DDoS activity that have targeted France:

    any(cf.intel.ip.target_countries[*] == "FR") and any(cf.intel.ip.datasets[*] == "ddos")
    

    These fields work with the Cloudflare API and Terraform. Matches are logged in Security Analytics.

    The threat intelligence detection is available to customers with an active Cloudforce One subscription. For more information, refer to Threat intelligence.

    Original source
  • Jun 10, 2026
    • Date parsed from source:
      Jun 10, 2026
    • First seen by Releasebot:
      Jun 11, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Security Center - Automated Cease and Desist templates for Brand Protection

    Application Security adds an Automated Cease & Desist workflow for Brand Protection, letting users generate, review, and download pre-filled legal notices for infringing domains hosted outside Cloudflare, with smart recipient lookup, branded templates, and editable enforcement tones.

    TL;DR: Brand Protection now features an Automated Cease & Desist (C&D) workflow. When you discover an infringing domain hosted outside of Cloudflare, you can instantly generate, review, and download a custom-branded, pre-filled legal notice in seconds.

    Why this matters

    This update introduces a major shift from pure detection to actionable enforcement, eliminating the manual burden for your Trust & Safety and Legal teams:

    • Instant WHOIS and Recipient Lookup: We automatically scrape registrar data and WHOIS contact information (such as the registrant or registrar abuse email) behind the scenes, highlighting exactly where your notice needs to be sent
    • Smart Template Automation: We pre-fill your custom-branded templates with essential metadata, including the infringing domain, registrar name, and discovery date.
    • Tailored Enforcement Tones: Choose from three default layout strategies depending on the severity of the infrastructure match:
      • Exact Match: A formal demand for identical trademark infringements
      • Similar Match: A standard notice optimized for typosquatting (one-character distance matches)
      • Friendly Tone: An amicable initial outreach for potential unintentional or accidental infringements
    • Full Editing Control: Before creating the final PDF, a real-time review screen allows you to fine-tune the messaging, modify placeholders, and ensure your text aligns perfectly with internal legal standards

    How it works

    When reviewing a malicious domain match inside your dashboard, your enforcement path splits depending on where the attacker is located:

    • On the Cloudflare Network: If the domain uses Cloudflare’s network or registrar, trigger our existing integrated abuse reporting flow with one click.
    • Hosted Elsewhere: If the domain is hosted on an external provider, click the Generate C&D Letter option to launch the new document builder, pick your template, verify the auto-populated recipient data, and download your finalized PDF.

    You can manage your templates and enforce matches by going to the Cloudflare Dashboard > Application Security > Brand Protection and selecting your detected Brand Protection matches.

    For more information, read the Brand Protection documentation.

    Note: Cloudflare does not represent you and cannot provide you with legal advice. Only you can decide whether your rights have been infringed, whether a cease and desist letter is appropriate, and what that letter should say.

    Original source
  • Jun 9, 2026
    • Date parsed from source:
      Jun 9, 2026
    • First seen by Releasebot:
      Jun 9, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - 2026-06-09

    Application Security adds new detections for critical Drupal PostgreSQL SQL injection, Mirasvit Cache Warmer unsafe deserialization, and Axios prototype pollution, plus a generic rule to block obfuscated SQL injection bypass attempts.

    This release introduces new detections for a critical SQL injection vulnerability in Drupal installations utilizing PostgreSQL (CVE-2026-9082), alongside targeted protection for an unsafe deserialization flaw in the Mirasvit Cache Warmer extension (CVE-2026-45247). Additionally, this release includes coverage for a prototype pollution vector in Axios (CVE-2026-40175) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic.

    Key Findings

    CVE-2026-9082: A database abstraction vulnerability affects Drupal sites configured with a PostgreSQL backend. Remote, unauthenticated attackers can exploit this flaw via crafted inputs to inject malicious SQL commands and access or manipulate backend data.

    CVE-2026-45247: A PHP Object Injection vulnerability exists in the Mirasvit Cache Warmer extension for Magento and Adobe Commerce. This flaw stems from unsafe deserialization of untrusted user input, enabling unauthenticated attackers to execute arbitrary code on the hosting server.

    CVE-2026-40175: A prototype pollution vulnerability affects the Axios HTTP client library. Attackers can exploit this to inject malicious properties into the global JavaScript object prototype, potentially causing application crashes (Denial of Service) or executing unauthorized code depending on the application structure.

    Impact

    Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code, manipulate database contents, or induce application crashes, leading to severe operational disruption or complete server compromise. These newly deployed signatures intercept these advanced malicious payloads at the edge before they can interact with vulnerable software configurations.

    Ruleset

    • Cloudflare Managed Ruleset

      • Rule ID: b4f88cb767874def810edd0b387cf935
      • Legacy Rule ID: N/A
      • Description: Axios - Prototype Pollution - CVE:CVE-2026-40175
      • Previous Action: Log
      • New Action: Block
      • Comments: This is a new detection.
    • Cloudflare Managed Ruleset

      • Rule ID: 098997bb8b5f48abb4039bd6417eb9e0
      • Legacy Rule ID: N/A
      • Description: Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - Body
      • Previous Action: Log
      • New Action: Block
      • Comments: This is a new detection.
    • Cloudflare Managed Ruleset

      • Rule ID: 8a7650b99ec04a91a19b8295fd3857fd
      • Legacy Rule ID: N/A
      • Description: Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - URI
      • Previous Action: Log
      • New Action: Block
      • Comments: This is a new detection.
    • Cloudflare Managed Ruleset

      • Rule ID: 525c0871787840e6a6193f6caee241d2
      • Legacy Rule ID: N/A
      • Description: SQLi - Obfuscated Boolean - Body
      • Previous Action: N/A
      • New Action: Disabled
      • Comments: This is a new detection.
    • Cloudflare Managed Ruleset

      • Rule ID: 1ec4aeaf7900463397b82b35d8620070
      • Legacy Rule ID: N/A
      • Description: SQLi - Obfuscated Boolean - Headers
      • Previous Action: N/A
      • New Action: Disabled
      • Comments: This is a new detection.
    • Cloudflare Managed Ruleset

      • Rule ID: fb74766654c44ff2a5204dc4e0be4d47
      • Legacy Rule ID: N/A
      • Description: Mirasvit Cache Warmer - PHP Object Injection - CVE:CVE-2026-45247
      • Previous Action: N/A
      • New Action: Block
      • Comments: This is a new detection.
    Original source
  • Jun 9, 2026
    • Date parsed from source:
      Jun 9, 2026
    • First seen by Releasebot:
      Jun 9, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - Scheduled changes for 2026-06-15

    Application Security adds two new SQLi detections for Ghost CMS and obfuscated boolean URI attacks.

    Announcement Date

    Release Date

    Release Behavior

    Legacy Rule ID

    Rule ID

    Description

    Comments

    2026-06-09

    2026-06-15

    Log

    N/A

    439c4ef64b32447989bdf412b4c29bc6

    Ghost CMS - SQLi - CVE:CVE-2026-26980

    This is a new detection.

    2026-06-09

    2026-06-15

    Log

    N/A

    6c64b68ef5ed45e7a622cdaab56f403f

    SQLi - Obfuscated Boolean - URI

    This is a new detection.

    Original source
  • Jun 8, 2026
    • Date parsed from source:
      Jun 8, 2026
    • First seen by Releasebot:
      Jun 10, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Security Center - Create WAF rules directly from Threat Events saved views

    Application Security now lets Cloudforce One users turn Threat Events indicators into active defense by generating WAF rules from Saved Views, making threat mitigation faster through the dashboard, API, or Terraform.

    Cloudforce One users can now turn Threat Events indicators into active defense. With this update, users can instantly generate a WAF rule that matches the dynamic list of IP addresses returned by any of their Saved Views.

    Why this matters

    Threat intelligence is most effective when it is immediately actionable. Previously, blocking threat actors required manually extracting indicators from threat events and copying them into your firewall rules.

    This new integration bridges the gap between threat discovery and threat mitigation:

    When you identify an active threat pattern - such as an ongoing campaign targeting a specific industry, or using a known indicator type - you can pivot from investigation to mitigation in a single click.

    Instead of writing complex, static IP rules, this functionality allows you to leverage the specific filtering logic you have already defined and saved within your Threat Events ecosystem.

    Automating the generation of the WAF rule expression from your threat views eliminates manual copying errors, ensuring that the right malicious infrastructure is blocked instantly.

    How to use it

    You can implement these rules through both the dashboard UI and via the API / Terraform.

    Go to Cloudflare Dashboard > Application Security > Threat Intelligence > Manage Views, select your desired view, and select Create WAF Rule.

    This will automatically pre-populate the WAF rule builder with the matching threat event IP indicators.

    You can also automate this workflow by utilizing the WAF Rule Builder API alongside your Threat Events saved views endpoints.

    Original source
  • Jun 8, 2026
    • Date parsed from source:
      Jun 8, 2026
    • First seen by Releasebot:
      Jun 10, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Security Center - Introducing Threat Actor Profiles in Threat Events

    Application Security launches Threat Actor Profiles in the Threat Events dashboard, helping teams pivot from alerts to adversary context with aliases, origin tracking, threat volume, MITRE ATT&CK mapping, and a dedicated threat actor directory.

    TL;DR: We’ve launched Threat Actor Profiles directly inside the Threat Events dashboard. You can now immediately pivot from a generic alert or blocked event to a profile that unmasks the "Who, Why, and How" behind a threat event.

    Why this matters

    Security teams often suffer from a visibility gap. When an attack is blocked, it's difficult to know if it was a random automated bot or a sophisticated advanced persistent threat (APT) campaign specifically targeting your industry. Finding out usually means leaving your security dashboard to hunt through external OSINT feeds or static, out-of-date threat reports.

    Threat Actor Profiles solve this by sharing Cloudforce One’s deep adversary research directly inside your workflow:

    Cloudflare sees the traffic in real-time across approximately 20% of the web. This means actor profiles display active malicious infrastructure the moment it touches our global edge.

    Every profile provides clear strategic and tactical modules including alternative aliases, origin tracking, historical threat event volume, and MITRE ATT&CK mapping detailing the adversary's technical methods.

    You can search the dedicated threat actor directory or click an actor's name inside any threat event to view all details and related events to the specific threat actor.

    How to use it

    Adversary tracking is now available in the Cloudflare Dashbboard and ready to be included in your daily investigation workflow:

    Click on the Threat Actor name in the Threat Events table to open their full identity profile and review their aliases and attack stats.

    Navigate to Cloudflare Dashboard > Application Security > Threat Intelligence to explore the new Threat Actors tab. Here, you can browse a card-based directory of all established entities tracked by Cloudforce One.

    Learn more in the Cloudforce One documentation.

    Original source
  • May 29, 2026
    • Date parsed from source:
      May 29, 2026
    • First seen by Releasebot:
      Jun 2, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Security Center - Security scans more frequent

    Application Security now scans more often and by default, with Free accounts checked every 7 days, Pro and Business every 3 days, and Enterprise daily. It also adds on-demand scans for any zone, insight, or insight type to quickly re-check security posture after remediation.

    Security Insights scans now run more often. Cloudflare scans Free accounts every 7 days, Pro and Business accounts every 3 days, and Enterprise accounts daily.

    In addition, all accounts and zones now receive scans by default. You no longer need to enable scans before Cloudflare checks your account for misconfigurations, vulnerabilities, and other security risks.

    Granular on-demand scans are now available on any plan. You can trigger an on-demand scan for any zone, insight, insight type from the Cloudflare dashboard in order to quickly re-check your security posture after remediating an issue.

    To learn more, refer to the Security Insights documentation.

    Original source
  • May 20, 2026
    • Date parsed from source:
      May 20, 2026
    • First seen by Releasebot:
      May 23, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - 2026-05-20

    Application Security adds managed rule enhancements to improve detection resilience and behavioral coverage against broad web attacks, while strengthening protection for Sitecore cache poisoning with an updated Cloudflare Managed Ruleset block action.

    Key Findings

    Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

    Continuous Rule Improvements

    We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.

    Ruleset

    Rule ID

    Legacy Rule ID

    Description

    Previous Action

    New Action

    Comments

    Cloudflare Managed Ruleset

    bcdcec3ea63a480896513dc39e9c068d

    N/A

    Sitecore - Cache Poisoning - CVE:CVE-2025-53693 Beta

    N/A

    Block

    This rule is merged into the original rule "Sitecore - Cache Poisoning - CVE-CVE-2025-53693" (ID: d1bd7563e6254db48ce703807c5b669c ).

    Original source
Releasebot

Curated by the Releasebot team

Releasebot is an aggregator of official product update announcements from hundreds of software vendors and thousands of sources.

Our editorial process involves the manual review and audit of release notes procured with the help of automated systems.