Skip to content

Changelog

New updates and improvements at Cloudflare.

hero image

WAF Release - 2026-07-17 - Emergency

This emergency release adds a new managed rule to block active exploitation of a critical remote code execution (RCE) and SQL injection (SQLi) vulnerability found in popular web frameworks.

Key Findings

  • Generic Frameworks - Unauthenticated RCE: Attackers can execute arbitrary system commands with web server privileges by sending malicious input containing invalid path sequences during request processing.

  • Generic Frameworks - SQLi: Attackers can execute unauthorized database queries due to a failure to sanitize input values within request parameters.

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
Cloudflare Managed Ruleset N/AGeneric Rules - Unauthenticated RCEN/ABlockThis is a new detection.
Cloudflare Managed Ruleset N/AGeneric Rules - SQLi N/ABlockThis is a new detection.
Cloudflare Free Ruleset N/AGeneric Rules - Unauthenticated RCE N/ABlockThis is a new detection.
Cloudflare Free Ruleset N/AGeneric Rules - SQLi N/ABlockThis is a new detection.