.detection_mode() to query the WAF engine’s effective state
(On/DetectionOnly/Off) for the current transaction from VCL..log_matches() to write non-disruptive rule matches to the VSL
under the WAF tag with a MATCH: prefix, for observability while
running in DetectionOnly or while tuning CRS anomaly scoring. Wired
to the waf-log-matches request header in the bundled waf.vcl.verify* operators), along with a number
of other upstream stability fixes.HexDecode patch shipped in 1.2.1 in favor of the
equivalent upstream fix for
CVE-2026-30923
in ModSecurity 3.0.15.HexDecode transformation,
discovered independently and later assigned
CVE-2026-30923
upstream.NULL: methods now fail gracefully with
VRT_fail instead of asserting when called on a NULL object..check_req() with a NULL string.