A WAF is protecting this search endpoint. It blocks any request containing <script in the search parameter.
Can you bypass the WAF and get your XSS payload through?
Hint: Try sending ?search[]=<scri&search[]=pt>alert(1)</script>
Use the URL: ?search[]=<scri&search[]=pt>alert(1)</script>
The WAF checks each value separately. Neither contains the full <script string, so it passes. The backend concatenates them into the full payload.