cloudflare · rag-cf · May 5, 2026 · May 5, 2026 · May 5, 2026
@@ -0,0 +1,318 @@
+---
+title: "WAF Release - 2026-05-04"
+description: Cloudflare WAF managed rulesets 2026-05-04 release
+date: 2026-05-04
+---
+
+import { RuleID } from "~/components";
+
+This week's release focuses on new detections to expand coverage across command injection, SQL injection, PHP object injection, remote code execution, and XSS attack vectors.
+
+**Key Findings**
+
+- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
+
+
+**Continuous Rule Improvements**
+
+We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.
+
+
+<table style="width: 100%">
+  <thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+  </thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="607ec27233b54beb8b89386ef0884a68" />
+			</td>
+			<td>N/A</td>
+			<td>XSS, HTML Injection - Object Tag - Body (beta)</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>
+				This is a new detection. This rule is merged into the original rule
+				"XSS, HTML Injection - Object Tag" (ID:{" "}
+				<RuleID id="e9e3ac45a6d842f1a132fbf70c14e284" />).
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="0087c27420c54168a10bc05eff012303" />
+			</td>
+			<td>N/A</td>
+			<td>XSS, HTML Injection - Object Tag - Headers</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>
+				This is a new detection. The rule previously known as "XSS, HTML
+				Injection - Object Tag - Headers (beta)" is now renamed to "XSS, HTML
+				Injection - Object Tag - Headers".
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="38dc97853ebf40ed9476ec7816f921d9" />
+			</td>
+			<td>N/A</td>
+			<td>XSS, HTML Injection - Object Tag - URI</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>
+				This is a new detection. The rule previously known as "XSS, HTML
+				Injection - Object Tag - URI (beta)" is now renamed to "XSS, HTML
+				Injection - Object Tag - URI".
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="963cb530f72d4c75b2ae7befdc90d21a" />
+			</td>
+			<td>N/A</td>
+			<td>Command Injection - Generic 9 - Body Vector - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>
+				This is a new detection. This rule is merged into the original rule
+				"Command Injection - Generic 9 - Body Vector" (ID:{" "}
+				<RuleID id="155bb67d1061479e995a38510677175f" />)
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="6ac1b6dfe22449a798cc7021f8960375" />
+			</td>
+			<td>N/A</td>
+			<td>Command Injection - Generic 9 - Header Vector - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>
+				This is a new detection. This rule is merged into the original rule
+				"Command Injection - Generic 9 - Header Vector" (ID:{" "}
+				<RuleID id="b31c34a7b29b4aaf9be6883d1eb7a999" />)
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="47a9b66dd73a4a558590c4bdef47a800" />
+			</td>
+			<td>N/A</td>
+			<td>Command Injection - Generic 9 - URI Vector - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>
+				This is a new detection. This rule is merged into the original rule
+				"Command Injection - Generic 9 - URI Vector" (ID:{" "}
+				<RuleID id="54ad0465c30d4cd2ac7a707197321c6c" />)
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="d2ae4a8093f245a1b9de71bbbeebf804" />
+			</td>
+			<td>N/A</td>
+			<td>Command Injection - Sleep - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>
+				This is a new detection. The rule previously known as "Command Injection
+				- Sleep" is now renamed to "Command Injection - Sleep - Body".
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="da91868c0d3d44afb846e7830d257566" />
+			</td>
+			<td>N/A</td>
+			<td>Command Injection - Sleep - Headers</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="04863c61e982464b91778f051856fe86" />
+			</td>
+			<td>N/A</td>
+			<td>Command Injection - Sleep - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="9dc1a0b8dbb7425db619309be6e43c37" />
+			</td>
+			<td>N/A</td>
+			<td>Fortinet FortiSandbox - Command Injection - CVE:CVE-2026-39808</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="b84c10f5a8f84800905932dc88118795" />
+			</td>
+			<td>N/A</td>
+			<td>Remote Code Execution - Common Bash Bypass - Headers</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="f496c40011f14bfdb5f55ec79299d53b" />
+			</td>
+			<td>N/A</td>
+			<td>Remote Code Execution - Common Bash Bypass - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="a5f75abac2664554a984d061b0bf33f9" />
+			</td>
+			<td>N/A</td>
+			<td>Remote Code Execution - Common Bash Bypass - Body - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>
+				This is a new detection. This rule is merged into the original rule
+				"Remote Code Execution - Common Bash Bypass Body" (ID:{" "}
+				<RuleID id="6e2f7a696ea74c979e7d069cefb7e5b9" />). The rule previously
+				known as "Remote Code Execution - Common Bash Bypass Beta" is now
+				renamed to "Remote Code Execution - Common Bash Bypass Body".
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="bbb31a886ab54f6c8cdd220d33bfe8b9" />
+			</td>
+			<td>N/A</td>
+			<td>PHP Object Injection - 2 - Body - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>
+				This is a new detection. This rule is merged into the original rule
+				"PHP Object Injection - 2" (ID:{" "}
+				<RuleID id="8ef3c3f91eef46919cc9cb6d161aafdc" />)
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="e199688ab69746c88c33457f29552387" />
+			</td>
+			<td>N/A</td>
+			<td>PHP Object Injection - 2 - Headers</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="eb33d40e96c54e929af6ed9c8104f4c5" />
+			</td>
+			<td>N/A</td>
+			<td>PHP Object Injection - 2 - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="76b15b7b122a4be6a40d8aa96a46201e" />
+			</td>
+			<td>N/A</td>
+			<td>SQLi - DROP - 2 - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>
+				This is a new detection. This rule is merged into the original rule
+				"SQLi - DROP - 2" (ID:{" "}
+				<RuleID id="a967a167874b42b6898be46e48ac2221" />)
+			</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="e24b2ef4a5c54f97a62db7a68b7f85ee" />
+			</td>
+			<td>N/A</td>
+			<td>SQLi - DROP - 2 - Headers</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="51123f35f1d249358aea8fb11546b5f0" />
+			</td>
+			<td>N/A</td>
+			<td>SQLi - DROP - 2 - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="d86d8873310d41f2877458a91e053dce" />
+			</td>
+			<td>N/A</td>
+			<td>SmarterMail - Remote Code Execution - CVE:CVE-2026-24423</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a new detection.</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="00da180570d34b5bae2121acd0023a36" />
+			</td>
+			<td>N/A</td>
+			<td>SQLi - SELECT Expression - Body</td>
+			<td>Block</td>
+			<td>Disabled</td>
+			<td>Action changed</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="c46d9097c9ef419aa4d9f10626cc211f" />
+			</td>
+			<td>N/A</td>
+			<td>SQLi - String Concatenation - URI</td>
+			<td>Block</td>
+			<td>Disabled</td>
+			<td>Action changed</td>
+		</tr>
+	</tbody>
+</table>