The vulnerability stemmed from unescaped variables in Jelly templates used to render plugin UI components. The commit d32dcfe explicitly adds <?jelly escape-by-default='true'?> to these files, confirming they previously lacked output encoding. Each modified template corresponds to a distinct UI element (list views, build status pages, dashboard widgets) where attacker-controlled data (e.g., release parameters) could be injected and executed as script content.