Found an XSS payload that bypassed the ModSecurity coreruleset.

It is fixed now.

https://github.com/coreruleset/coreruleset/issues/3381