The fragment (location.hash) is written straight into the page via innerHTML — a client-side sink with no sanitization.
location.hash
innerHTML
Trigger: /xss/dom.html#<img src=x onerror=alert(1)>
/xss/dom.html#<img src=x onerror=alert(1)>
Detected by: browser_cdp_dom_xss_trace, browser_cdp_js_sink_monitor
browser_cdp_dom_xss_trace
browser_cdp_js_sink_monitor