A Cloudflare WAF bypass XSS vulnerability was discovered by @Shad0wH3x. The payload used to bypass the WAF is <img hrEF="x" sRC="data:x" oNLy=1 oNErrOR=prompt`1`. This payload tricks the WAF by executing a prompt when the image is loaded. To protect against this bypass, Cloudflare should update their WAF rules to detect and block such payloads.
For more insights, check out the original tweet here: https://twitter.com/XssPayloads/status/1805805676662255918