All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

WAF - WAF Release - 2026-06-09

25d ago

Source

CloudflareWAF - WAF Release - 2026-06-09cloudflare.com
Snippet from the RSS feed
This release introduces new detections for a critical SQL injection vulnerability in Drupal installations utilizing PostgreSQL (CVE-2026-9082), alongside targeted protection for an unsafe deserialization flaw in the Mirasvit Cache Warmer extension (CVE-2026-45247). Additionally, this release includes coverage for a prototype pollution vector in Axios (CVE-2026-40175) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic. Key Findings CVE-2026-9082: A database abstraction vulnerability affects Drupal sites configured with a PostgreSQL backend. Remote, unauthenticated attackers can exploit this flaw via crafted inputs to inject malicious SQL commands and access or manipulate backend data. CVE-2026-45247: A PHP Object Injection vulnerability exists in the Mirasvit Cache Warmer extension for Magento and Adobe Commerce. This flaw stems from unsafe deserialization of untrusted user input, enabling unauthenticated attackers to execute arbitrary code on the hosting server. CVE-2026-40175: A prototype pollution vulnerability affects the Axios HTTP client library. Attackers can exploit this to inject malicious properties into the global JavaScript object prototype, potentially causing application crashes (Denial of Service) or executing unauthorized code depending on the application structure. Impact Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code, manipulate database contents, or induce application crashes, leading to severe operational disruption or complete server compromise. These newly deployed signatures intercept these advanced malicious payloads at the edge before they can interact with vulnerable software configurations. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset b4f88cb767874def810edd0b387cf935 N/A Axios - Prototype Pollution - CVE:CVE-2026-40175 Log Block This is a new detection. Cloudflare Managed Ruleset 098997bb8b5f48abb4039bd6417eb9e0 N/A Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - Body Log Block This is a new detection. Cloudflare Managed Ruleset 8a7650b99ec04a91a19b8295fd3857fd N/A Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - URI Log Block This is a new detection. Cloudflare Managed Ruleset 525c0871787840e6a6193f6caee241d2 N/A SQLi - Obfuscated Boolean - Body N/A Disabled This is a new detection. Cloudflare Managed Ruleset 1ec4aeaf7900463397b82b35d8620070 N/A SQLi - Obfuscated Boolean - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset fb74766654c44ff2a5204dc4e0be4d47 N/A Mirasvit Cache Warmer - PHP Object Injection - CVE:CVE-2026-45247 N/A Block This is a new detection.

You might also wanna read

Comments

Sign in to join the conversation.

No comments yet. Be the first.