WAF - WAF Release - 2026-06-09
25d ago
Source
CloudflareWAF - WAF Release - 2026-06-09cloudflare.comThis release introduces new detections for a critical SQL injection vulnerability in Drupal installations utilizing PostgreSQL (CVE-2026-9082), alongside targeted protection for an unsafe deserialization flaw in the Mirasvit Cache Warmer extension (CVE-2026-45247). Additionally, this release includes coverage for a prototype pollution vector in Axios (CVE-2026-40175) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic. Key Findings CVE-2026-9082: A database abstraction vulnerability affects Drupal sites configured with a PostgreSQL backend. Remote, unauthenticated attackers can exploit this flaw via crafted inputs to inject malicious SQL commands and access or manipulate backend data. CVE-2026-45247: A PHP Object Injection vulnerability exists in the Mirasvit Cache Warmer extension for Magento and Adobe Commerce. This flaw stems from unsafe deserialization of untrusted user input, enabling unauthenticated attackers to execute arbitrary code on the hosting server. CVE-2026-40175: A prototype pollution vulnerability affects the Axios HTTP client library. Attackers can exploit this to inject malicious properties into the global JavaScript object prototype, potentially causing application crashes (Denial of Service) or executing unauthorized code depending on the application structure. Impact Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code, manipulate database contents, or induce application crashes, leading to severe operational disruption or complete server compromise. These newly deployed signatures intercept these advanced malicious payloads at the edge before they can interact with vulnerable software configurations. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset b4f88cb767874def810edd0b387cf935 N/A Axios - Prototype Pollution - CVE:CVE-2026-40175 Log Block This is a new detection. Cloudflare Managed Ruleset 098997bb8b5f48abb4039bd6417eb9e0 N/A Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - Body Log Block This is a new detection. Cloudflare Managed Ruleset 8a7650b99ec04a91a19b8295fd3857fd N/A Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - URI Log Block This is a new detection. Cloudflare Managed Ruleset 525c0871787840e6a6193f6caee241d2 N/A SQLi - Obfuscated Boolean - Body N/A Disabled This is a new detection. Cloudflare Managed Ruleset 1ec4aeaf7900463397b82b35d8620070 N/A SQLi - Obfuscated Boolean - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset fb74766654c44ff2a5204dc4e0be4d47 N/A Mirasvit Cache Warmer - PHP Object Injection - CVE:CVE-2026-45247 N/A Block This is a new detection.
You might also wanna read
Cloudflare expands AI bot management tools with granular traffic controls for all customers
Cloudflare is celebrating the second "Content Independence Day" by expanding AI traffic management options for all website owners. Building
Workers - Simpler runtime types with @cloudflare/workers-types v5
Cloudflare·1d ago
AI Search - Manage AI Search sync jobs with Wrangler CLI
Cloudflare·2d ago
Workers - Work across multiple accounts with Wrangler auth profiles
Cloudflare·2d ago
Cache - Cache multiple versions of a URL with Vary
Cloudflare·2d ago
Cloudflare One - Hostname routing for Cloudflare Mesh
Cloudflare·2d ago

Comments
Sign in to join the conversation.
No comments yet. Be the first.