--- title: "WAF Policies Changelog" slug: "wap-policies-changelog" description: "Track updates to threat types and threat rules in the Protection module, including newly added rules and rule updates." tags: ["API Protection", "Traceable API Security", "Traceable Custom Policies", "Traceable Rule Testing"] updated: 2026-04-29T13:19:07Z published: 2026-04-29T13:19:07Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # WAF Policies Changelog Rule testing allows you to monitor the real-time behavior of newly added or updated rule(s). For more information on rule testing, see [Rule Testing for New or Updated Rule(s)](https://docs.traceable.ai/docs/rule-testing). The following section highlights the threat types and rules that Traceable has added, updated, or removed, along with their severity: ### 29th April 2026 This update enhances overall detection accuracy, expands attack coverage, and strengthens protection through refined rule logic and improved signature enforcement. The following are some enhancements: - Improves detection precision and expands attack coverage by refining how request data is analyzed and decoded. - Strengthens protection through updated signatures across key attack vectors, such as LDAP Injection, SSTI, PHP Injection, XSS, SQL Injection, File Access, and obfuscation techniques. - Enforces stricter SQL Injection rules in *block* mode to improve defense against high-confidence threats. - Improves overall consistency and reliability across detection categories with refined rule logic. #### Updated threat rules | Threat Rule | Threat Type | Is Aggressive | Severity | | --- | --- | --- | --- | | LDAP Injection Attack | HTTP Protocol Attacks | No | High | | PHP Injection Attack: High-Risk PHP Function Call | PHP Attacks | No | High | | Server Side Template Injection (SSTI) Attempt | Remote Code Execution | No | High | | OS File Access Attempt (120) | Local File Inclusion | Yes | Medium | | Blind SQLI Tests using sleep or benchmark | SQL Injection | No | Medium | | Concatenated SQL Injection and SQLLFI Attempts (`T360`) | SQL Injection | No | High | | XSS InjectionChecker: HTML Injection | Cross-Site Scripting (XSS) | No | High | | NoScript XSS InjectionChecker: HTML Injection | Cross-Site Scripting (XSS) | Yes | Medium | | JSFuck / Hieroglyphy Obfuscation | Cross-Site Scripting (XSS) | No | Low | ### 2nd February 2026 This update expands attack coverage, improves detection accuracy, and reduces inaccuracies. The following are some enhancements: - Introduces new WAF detection rules to target PHP vulnerabilities and expand coverage for previously unprotected attack vectors. - Enhances coverage by refining existing rules with stricter, more accurate signatures to detect and block attacks. - Improves detection of evasive attacks by enhancing signature logic and accuracy to identify attempts to bypass standard protections. - Refines sensitive rules aggressively, controlling over enabling rules that are more likely to result in false positives. #### Added threat rules | Threat Rule | Threat Type | Is Aggressive | Severity | | --- | --- | --- | --- | | NGINX Configuration Code Execution (`CVE-2025-1974`) | Remote Code Execution | No | High | | PHP CGI Argument Injection ( `CVE-2024-4577`) | PHP Attacks | No | High | | PHP Injection Attack: Variable Function Call Found (210) | PHP Attacks | Yes | High | | PHP Injection Attack: High-Risk PHP Function Call | PHP Attacks | No | High | #### Updated threat rules | Threat Rule | Threat Type | Is Aggressive | Severity | | --- | --- | --- | --- | | DB code execution and information gathering attempts | SQL Injection | No | High | | HTTP Request Smuggling Attack (Content-Length/Transfer-Encoding Confusion) | HTTP Protocol Attacks | No | High | | Java Spring Core: RCE (`CVE-2022-22965`) | Java Application Attacks | No | Critical | | NoScript XSS InjectionChecker: Attribute Injection (`T170`) | Cross-Site Scripting (XSS) | No | High | | Request argument associated with security scanner | Scanner Detection | No | Low | | User-Agent associated with a security scanner | Scanner Detection | No | Medium | | XSS InjectionChecker: HTML Injection | Cross-Site Scripting (XSS) | No | High | #### **Added threat types** | Threat Type | Threat Rule | | --- | --- | | PHP Attacks | - PHP Injection Attack: Variable Function Call Found (210) - PHP CGI Argument Injection ( `CVE-2024-4577`) - PHP Injection Attack: High-Risk PHP Function Call | ### 5th December 2025 This update enhances overall protection capabilities. The following are some enhancements: - Introduces new WAF detection rules for `React` and `Next.js` Server Functions targeting (`CVE-2025-55182`). - Enhances coverage to detect and block malicious deserialization attempts within server function execution paths. #### Added threat rules | Threat Rule | Threat Type | Is Aggressive | Severity | | --- | --- | --- | --- | | React and Next.js Server Functions Deserialization RCE (`CVE-2025-55182`) | Remote Code Execution | No | High | | ReactJS Server Functions Deserialization RCE (`CVE-2025-55182`) | Remote Code Execution | No | High | ### **13th****October 2025** This update enhances overall detection accuracy and protection capabilities. The following are some enhancements: - Protects against evasion-based attacks. - Safeguards your systems from known CVEs and code injection threats. - Reduces false positives with improvements from Traceable’s in-house regex assembler. #### Added threat rules | Threat Rule | Threat Type | Is Aggressive | Severity | | --- | --- | --- | --- | | Authorization Bypass in Next.js Middleware: (`CVE-2025-29927`) | Basic Authentication Violation | No | High | | Concatenated basic SQL injection and SQLLFI attempts (`T360`) | SQL Injection | No | High | | Concatenated basic SQL injection and SQLLFI attempts (360) | SQL Injection | Yes | Medium | | Remote Command Execution: Unix Command Injection (`T105`) | Remote Code Execution | No | High | | Remote Command Execution: Unix Command Injection (`T100`) | Remote Code Execution | No | High | | Authorization Bypass in Next.js Middleware: (`CVE-2025-29927`) | Basic Authentication Violation | No | High | #### **Updated threat rules** | **Threat Rule** | **Threat Type** | **Aggressive** | **Severity** | | --- | --- | --- | --- | | JSFuck / Hieroglyphy Obfuscation | Cross-Site Scripting (XSS) | No | Low | | Mail Injection: Protocol Manipulation | HTTP Protocol Attacks | No | High | | Remote Command Execution: Windows PowerShell Command | Remote Code Execution | Yes | High | | Path Traversal Attack (/../) | Local File Inclusion | No | Medium | | MySQL and PostgreSQL Stored Procedure/Function Injections | SQL Injection | Yes | Medium | | DB Code Execution and Information Gathering Attempts | SQL Injection | No | High | | Suspicious Java Class | Java Application Attacks | No | High | | SQL Code Execution and Information Gathering Attempts | SQL Injection | Yes | Medium | | Restricted File Access Attempt | Local File Inclusion | Yes | Medium | | Request Header Associated with Security Scanner | Scanner Detection | No | Medium | | Conditional SQL Injection Attempts | SQL Injection | Yes | Medium | | Request Filename/Argument Associated with Security Scanner | Scanner Detection | No | Low | | OS File Access Attempt | Local File Inclusion | Yes | Medium | | XML External Entity Injection: Local/Remote Includes | XML External Entity Injection (XXE) | No | High | | NoScript XSS InjectionChecker: HTML Injection | Cross-Site Scripting (XSS) | Yes | Medium | | LDAP Injection Attack | HTTP Protocol Attacks | No | High | | XSS InjectionChecker: HTML Injection | Cross-Site Scripting (XSS) | No | High | | Remote Command Execution: Unix Shell Code | Remote Code Execution | No | High | | GraphQL Introspection Query Detected | GraphQL Attacks | No | Medium | | Java Spring Core: RCE (CVE-2022-22965) | Java Application Attacks | No | Critical | | Server-Side Template Injection (SSTI) Attempt | Remote Code Execution | No | High | | Remote Command Execution: Windows Command Injection | Remote Code Execution | Yes | Medium | | NoScript XSS InjectionChecker: Attribute Injection | Cross-Site Scripting (XSS) | Yes | Medium | | SQL Injection Attack: Common DB Names | SQL Injection | Yes | Low | #### **Added threat types** | Threat Type | Threat Rule | | --- | --- | | Basic Authentication Violation | Authorization Bypass in Next.js Middleware: (`CVE-2025-29927`) | ## Related - [Web Application Firewall Policies](/wap-policies.md) - [Profiles and Overrides in WAF Policies](/profiles-in-wap-policies.md) - [Rule Testing for New or Updated Rule(s)](/rule-testing.md)