{"id":351,"date":"2026-04-07T00:00:00","date_gmt":"2026-04-07T00:00:00","guid":{"rendered":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/04\/07\/waf-waf-release-2026-04-07\/"},"modified":"2026-04-07T00:00:00","modified_gmt":"2026-04-07T00:00:00","slug":"waf-waf-release-2026-04-07","status":"publish","type":"post","link":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/04\/07\/waf-waf-release-2026-04-07\/","title":{"rendered":"WAF &#8211; WAF Release &#8211; 2026-04-07"},"content":{"rendered":"<p>This week&#8217;s release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), alongside targeted protection for an authentication bypass vulnerability in SolarWinds products (CVE-2025-40552). Additionally, this release includes a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts leveraging &#8220;OnEvent&#8221; handlers within HTTP cookies.<\/p>\n<p><strong>Key Findings<\/strong><\/p>\n<ul>\n<li>\n<p>MCP Server (CVE-2026-23744): A vulnerability in the Model Context Protocol (MCP) server implementation where malformed input payloads can trigger a memory corruption state, allowing for arbitrary code execution.<\/p>\n<\/li>\n<li>\n<p>SolarWinds (CVE-2025-40552): A critical flaw in the authentication module allows unauthenticated attackers to bypass security filters and gain unauthorized access to the management console due to improper identity token validation.<\/p>\n<\/li>\n<li>\n<p>XSS OnEvents Cookies: This generic rule identifies malicious event handlers (such as onload or onerror) embedded within HTTP cookie values.<\/p>\n<\/li>\n<\/ul>\n<p><strong>Impact<\/strong><\/p>\n<p>Successful exploitation of the MCP Server and SolarWinds vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain administrative control, leading to a full system takeover. Additionally, the new generic XSS detection prevents attackers from leveraging browser event handlers in cookies to hijack user sessions or execute malicious scripts.<\/p>\n<table>\n<thead>\n<tr>\n<th>Ruleset<\/th>\n<th>Rule ID<\/th>\n<th>Legacy Rule ID<\/th>\n<th>Description<\/th>\n<th>Previous Action<\/th>\n<th>New Action<\/th>\n<th>Comments<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>73ae1cf103da4bacaa2e1a610aa410af <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Disabled<\/td>\n<td>Generic Rules &#8211; Command Execution &#8211; 5 &#8211; Body<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>a88a85b0cc5a4bc2abead6289131ec2f <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Disabled<\/td>\n<td>Generic Rules &#8211; Command Execution &#8211; 5 &#8211; Header<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>28518cdc40544979bbd86720551eb9e5 <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Block<\/td>\n<td>Generic Rules &#8211; Command Execution &#8211; 5 &#8211; URI<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>1177993d53a1467997002b44d46229eb <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Block<\/td>\n<td>MCP Server &#8211; Remote Code Execution &#8211; CVE:CVE-2026-23744<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>3d43cdfbc3c14584942f8bc4a864b9c2 <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Block<\/td>\n<td>XSS &#8211; OnEvents &#8211; Cookies<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>41153470df2365192b0df74ca78ad04e <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Disabled<\/td>\n<td>SQLi &#8211; Evasion &#8211; Body<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>64d812e6d5844d7c9d7a44a440732d48 <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Disabled<\/td>\n<td>SQLi &#8211; Evasion &#8211; Headers<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>50de9369ef7c45928a5dfb34e68a99b5 <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Disabled<\/td>\n<td>SQLi &#8211; Evasion &#8211; URI<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>765ffb5c67b94c9589106c843e8143d2 <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Disabled<\/td>\n<td>SQLi &#8211; LIKE 3 &#8211; Body<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>5c3dbd4f115e47c781491fcd70e7fb97 <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Disabled<\/td>\n<td>SQLi &#8211; LIKE 3 &#8211; URI<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>89fa6027a0334949b1cb2e654c538bd9 <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Disabled<\/td>\n<td>SQLi &#8211; UNION &#8211; 2 &#8211; Body<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>05946b3458364f1b9d4819d561c439c9 <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Disabled<\/td>\n<td>SQLi &#8211; UNION &#8211; 2 &#8211; URI<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare Managed Ruleset<\/td>\n<td>b2fe5c2a39df4609b6d39908cf33ea10 <\/td>\n<td>N\/A<\/td>\n<td>Log<\/td>\n<td>Block<\/td>\n<td>SolarWinds &#8211; Auth Bypass &#8211; CVE:CVE-2025-40552<\/td>\n<td>This is a new detection.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>","protected":false},"excerpt":{"rendered":"<p>This week&#8217;s release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), alongside targeted protection for an authentication bypass vulnerability in SolarWinds products (CVE-2025-40552). Additionally, this release includes a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts leveraging &#8220;OnEvent&#8221; handlers within HTTP cookies. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-351","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/comments?post=351"}],"version-history":[{"count":0,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/351\/revisions"}],"wp:attachment":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/media?parent=351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/categories?post=351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/tags?post=351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}