https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/

Recommending for inclusion as AWS chose to patch. Would not generally consider WAF bypasses notable

Thank you and good points about WAF bypasses generally not being notable, but AWS did make a fix. In considering this, I've decided to exclude WAF bypasses from this list. WAF's are inherently a cat and mouse game, so including them would flood this list. I also can't really consider bypasses to be a CSP mistake, because again it's sort of the nature of them. In considering this though, it did make me think of the 8KB limit that AWS WAF has (https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/) which seems like a different class of issues, because it is a generic bypass for all WAF rules. I'm on the fence on that one as it seems different, but for now I think I'm going to just make the broad decision of not including WAF bypasses. Thank you for raising this though.