WAF Release - March 23, 2026

Cloudflare has deployed a new WAF release focused on expanding security coverage and improving detection resilience against web-based attacks.

Key Improvements

Command Injection Detection Three new rules have been added to detect Command Injection - Generic 9 attacks across multiple request vectors:

• URI Vector: Detects command injection attempts in URL parameters
• Header Vector: Detects command injection attempts in HTTP headers
• Body Vector: Detects command injection attempts in request bodies

These rules are currently in Log mode, allowing customers to monitor for these attack patterns before enforcement.

File Upload Vulnerability Rules The WAF has enhanced protection for known file upload vulnerabilities:

• A rule covering PHP, vBulletin, and jQuery File Upload code injection and dangerous file uploads (CVE-2018-9206, CVE-2019-17132) has been merged and upgraded from Log to Block action
• This consolidated rule provides improved detection and automatic blocking of exploitation attempts

Action Items

• Review the new command injection detection rules in Log mode to assess impact on your traffic
• Consider enabling Block action for file upload rules once you've validated against false positives
• Check your WAF dashboard for any rules that may need tuning based on your application's legitimate use cases