Elgg does not have any known security issues (which is different from saying that it doesn't have any security issues which are not known at the moment, of course).
Here is a link about this: http://trac.elgg.org/ticket/1753
The short answer is the mod security doesn't like "http" included in a request parameter.
Why don't you contact your host's technical support and show them your URL similar to this
javascript:location.href='http://community.elgg.org/mod/bookmarks /add.php?address='+encodeURIComponent(location.href)+'& title='+encodeURIComponent(document.title)
OR
javascript:location.href='http://community.elgg.org/mod/reportedcontent/add.php?address='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)
and ask them to "WhiteList" it in mod_security configs ? It is the format of the URLs that mod_security is detecting as potential threat. Others have had this same issue in the past and the only way out is via your Tech Supp. That should get rid of the "406" ;-)
[Admin: this post has been removed for being off-topic. A new thread should be created for a different topic]
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.