---
title: WAF Release - 2026-06-15
description: Cloudflare WAF managed rulesets 2026-06-15
image: https://developers.cloudflare.com/changelog-preview.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

[ ← Back to all posts ](https://developers.cloudflare.com/changelog/) 

## WAF Release - 2026-06-15

Jun 15, 2026 

[ WAF ](https://developers.cloudflare.com/waf/) 

This week's release introduces new managed protection to address a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic. These rules protect affected installations from unauthorized data exfiltration at the network edge.

**Key Findings**

* CVE-2026-26980: A blind SQL injection vulnerability in the Ghost CMS Content API (versions 3.24.0 to 6.19.0) allows unauthenticated remote attackers to inject malicious SQL commands via query parameters due to improper input validation.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                           | Previous Action | New Action | Comments                 |
| -------------------------- | ----------- | -------------- | ------------------------------------- | --------------- | ---------- | ------------------------ |
| Cloudflare Managed Ruleset | ...b4c29bc6 | N/A            | Ghost CMS - SQLi - CVE:CVE-2026-26980 | Log             | Block      | This is a new detection. |
| Cloudflare Managed Ruleset | ...b56f403f | N/A            | SQLi - Obfuscated Boolean - URI       | Log             | Disabled   | This is a new detection. |

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/post/2026-06-15-waf-release/#page","headline":"WAF Release - 2026-06-15 · Changelog","description":"Cloudflare WAF managed rulesets 2026-06-15","url":"https://developers.cloudflare.com/changelog/post/2026-06-15-waf-release/","inLanguage":"en","image":"https://developers.cloudflare.com/changelog-preview.png","dateModified":"2026-06-15","datePublished":"2026-06-15","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```