diff --git a/src/content/docs/waf/change-log/2025-05-27.mdx b/src/content/docs/waf/change-log/2025-05-27.mdx
new file mode 100644
index 000000000000000..2b34a1a7001bcbd
--- /dev/null
+++ b/src/content/docs/waf/change-log/2025-05-27.mdx
@@ -0,0 +1,145 @@
+---
+title: "2025-05-27"
+type: table
+pcx_content_type: release-notes
+sidebar:
+  order: 788
+tableOfContents: false
+---
+
+import { RuleID } from "~/components";
+
+This week’s roundup covers nine vulnerabilities, including six critical RCEs and one dangerous file upload. Affected platforms span cloud services, CI/CD pipelines, CMSs, and enterprise backup systems. Several are now addressed by updated WAF managed rulesets.
+
+**Key Findings**
+
+- Ingress-Nginx (CVE-2025-1098): Unauthenticated RCE via unsafe annotation handling. Impacts Kubernetes clusters.
+- GitHub Actions (CVE-2025-30066): RCE through malicious workflow inputs. Targets CI/CD pipelines.
+- Craft CMS (CVE-2025-32432): Template injection enables unauthenticated RCE. High risk to content-heavy sites.
+- F5 BIG-IP (CVE-2025-31644): RCE via TMUI exploit, allowing full system compromise.
+- AJ-Report (CVE-2024-15077): RCE through untrusted template execution. Affects reporting dashboards.
+- NAKIVO Backup (CVE-2024-48248): RCE via insecure script injection. High-value target for ransomware.
+- SAP NetWeaver (CVE-2025-31324): Dangerous file upload flaw enables remote shell deployment.
+- Ivanti EPMM (CVE-2025-4428, 4427): Auth bypass allows full access to mobile device management.
+- Vercel (CVE-2025-32421): Information leak via misconfigured APIs. Useful for attacker recon.
+
+**Impact**
+
+These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort.
+
+Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="6a61a14f44af4232a44e45aad127592a" />
+			</td>
+			<td>100746</td>
+			<td>Vercel - Information Disclosure</td>
+			<td>Log</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="bd30b3c43eb44335ab6013c195442495" />
+			</td>
+			<td>100754</td>
+			<td>AJ-Report - Remote Code Execution - CVE:CVE-2024-15077</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="6a13bd6e5fc94b1d9c97eb87dfee7ae4" />
+			</td>
+			<td>100756</td>
+			<td>NAKIVO Backup - Remote Code Execution - CVE:CVE-2024-48248</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="a4af6f2f15c9483fa9eab01d1c52f6d0" />
+			</td>
+			<td>100757</td>
+			<td>Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1098</td>
+			<td>Log</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="bd30b3c43eb44335ab6013c195442495" />
+			</td>
+			<td>100759</td>
+			<td>SAP NetWeaver - Dangerous File Upload - CVE:CVE-2025-31324</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="dab2df4f548349e3926fee845366ccc1" />
+			</td>
+			<td>100760</td>
+			<td>Craft CMS - Remote Code Execution - CVE:CVE-2025-32432</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="5eb23f172ed64ee08895e161eb40686b" />
+			</td>
+			<td>100761</td>
+			<td>GitHub Action - Remote Code Execution - CVE:CVE-2025-30066</td>
+			<td>Log</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="827037f2d5f941789efcba6260fc041c" />
+			</td>
+			<td>100762</td>
+			<td>Ivanti EPMM - Auth Bypass - CVE:CVE-2025-4428, CVE:CVE-2025-4427</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="ddee6d1c4f364768b324609cebafdfe6" />
+			</td>
+			<td>100763</td>
+			<td>F5 Big IP - Remote Code Execution - CVE:CVE-2025-31644</td>
+			<td>Log</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+	</tbody>
+</table>
diff --git a/src/content/docs/waf/change-log/scheduled-changes.mdx b/src/content/docs/waf/change-log/scheduled-changes.mdx
index 7a26c859752ef30..ba3604fb7a61465 100644
--- a/src/content/docs/waf/change-log/scheduled-changes.mdx
+++ b/src/content/docs/waf/change-log/scheduled-changes.mdx
@@ -25,102 +25,58 @@ import { RSSButton, RuleID } from "~/components";
   </thead>
   <tbody>
     <tr>
-      <td>2025-05-19</td>
-      <td>2025-05-26</td>
+      <td>2025-05-27</td>
+      <td>2025-06-02</td>
       <td>Log</td>
-      <td>100746</td>
+      <td>100764</td>
       <td>
-        <RuleID id="6a61a14f44af4232a44e45aad127592a" />
+        <RuleID id="752cfb5e6f9c46f0953c742139b52f02" />
       </td>
-      <td>Vercel - Information Disclosure</td>
+      <td>Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34027</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-19</td>
-      <td>2025-05-26</td>
+      <td>2025-05-27</td>
+      <td>2025-06-02</td>
       <td>Log</td>
-      <td>100754</td>
-    	<td>
-				<RuleID id="bd30b3c43eb44335ab6013c195442495" />
-			</td>
-      <td>AJ-Report - Remote Code Execution - CVE:CVE-2024-15077</td>
-      <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-05-19</td>
-      <td>2025-05-26</td>
-      <td>Log</td>
-      <td>100756</td>
-    	<td>
-				<RuleID id="6a13bd6e5fc94b1d9c97eb87dfee7ae4" />
-			</td>
-      <td>NAKIVO Backup - Remote Code Execution - CVE:CVE-2024-48248</td>
-      <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-05-19</td>
-      <td>2025-05-26</td>
-      <td>Log</td>
-      <td>100757</td>
-    	<td>
-				<RuleID id="a4af6f2f15c9483fa9eab01d1c52f6d0" />
-			</td>
-      <td>Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1098</td>
-      <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-05-19</td>
-      <td>2025-05-26</td>
-      <td>Log</td>
-      <td>100759</td>
-    	<td>
-				<RuleID id="bd30b3c43eb44335ab6013c195442495" />
-			</td>
-      <td>SAP NetWeaver - Dangerous File Upload - CVE:CVE-2025-31324</td>
-      <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-05-19</td>
-      <td>2025-05-26</td>
-      <td>Log</td>
-      <td>100760</td>
-    	<td>
-				<RuleID id="dab2df4f548349e3926fee845366ccc1" />
-			</td>
-      <td>Craft CMS - Remote Code Execution - CVE:CVE-2025-32432</td>
+      <td>100765</td>
+      <td>
+        <RuleID id="a01171de18034901b48a5549a34edb97" />
+      </td>
+      <td>Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34026</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-19</td>
-      <td>2025-05-26</td>
+      <td>2025-05-27</td>
+      <td>2025-06-02</td>
       <td>Log</td>
-      <td>100761</td>
+      <td>100766</td>
       <td>
-        <RuleID id="5eb23f172ed64ee08895e161eb40686b" />
+        <RuleID id="840b35492a7543c18ffe50fc0d99b2db" />
       </td>
-      <td>GitHub Action - Remote Code Execution - CVE:CVE-2025-30066</td>
+      <td>Kemp LoadMaster - Remote Code Execution - CVE:CVE-2024-7591</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-19</td>
-      <td>2025-05-26</td>
+      <td>2025-05-27</td>
+      <td>2025-06-02</td>
       <td>Log</td>
-      <td>100762</td>
+      <td>100767</td>
       <td>
-        <RuleID id="827037f2d5f941789efcba6260fc041c" />
+        <RuleID id="121b7070de3a459dbe80d7ed95aa3a4f" />
       </td>
-      <td>Ivanti EPMM - Auth Bypass - CVE:CVE-2025-4428, CVE:CVE-2025-4427</td>
+      <td>AnythingLLM - SSRF - CVE:CVE-2024-0759</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-05-19</td>
-      <td>2025-05-26</td>
+      <td>2025-05-27</td>
+      <td>2025-06-02</td>
       <td>Log</td>
-      <td>100763</td>
+      <td>100768</td>
       <td>
-        <RuleID id="ddee6d1c4f364768b324609cebafdfe6" />
+        <RuleID id="215417f989e2485a9c50eca0840a0966" />
       </td>
-      <td>F5 Big IP - Remote Code Execution - CVE:CVE-2025-31644</td>
+      <td>Anyscale Ray - Remote Code Execution - CVE:CVE-2023-48022</td>
       <td>This is a New Detection</td>
     </tr>
   </tbody>
diff --git a/src/content/release-notes/waf.yaml b/src/content/release-notes/waf.yaml
index 2cd21e0665f61dd..67fe95701ef25ba 100644
--- a/src/content/release-notes/waf.yaml
+++ b/src/content/release-notes/waf.yaml
@@ -5,11 +5,14 @@ productLink: "/waf/"
 productArea: Application security
 productAreaLink: /fundamentals/reference/changelog/security/
 entries:
-  - publish_date: "2025-05-19"
-    scheduled_date: "2025-05-26"
+  - publish_date: "2025-05-27"
+    scheduled_date: "2025-06-02"
     individual_page: true
     scheduled: true
     link: "/waf/change-log/scheduled-changes/"
+  - publish_date: "2025-05-27"
+    individual_page: true
+    link: "/waf/change-log/2025-05-27/"
   - publish_date: "2025-05-19"
     individual_page: true
     link: "/waf/change-log/2025-05-19/"