A SQL injection bypass exists in OWASP ModSecurity Core Rule Set through v3.1.0-rc3 via {`a`b} where a is a special function name and b is the SQL statement to be executed.