New Detection Rules

Cloudflare's Web Application Firewall (WAF) will introduce three new command injection detection rules as part of the scheduled release on March 23, 2026:

• Command Injection - Generic 9 - URI Vector: New detection for command injection attempts in URI parameters
• Command Injection - Generic 9 - Header Vector: New detection for command injection attempts in HTTP headers
• Command Injection - Generic 9 - Body Vector: New detection for command injection attempts in request bodies

Release Configuration

All new rules will be deployed in Log mode, meaning they will monitor and record suspicious activity without blocking traffic by default. This allows organizations to validate the rules in their environment before enabling blocking.

Rule Consolidation

As part of this release, a beta rule for PHP, vBulletin, and jQuery File Upload code injection (covering CVE-2018-9206 and CVE-2019-17132) will be merged into the original detection rule. This consolidation streamlines the WAF ruleset and improves maintainability.

Recommended Actions

• Review the new command injection rules in your WAF configuration
• Monitor logs during the initial Log-mode period to identify any false positives
• Plan to enable blocking after validation if appropriate for your security posture