The vulnerability stems from improper escaping of build display names in the NaginatorCause's Jelly template. The commit diff shows the removal of <j:out> wrappers around message outputs (e.g., ${%DescriptionWithLinkToSource(...)}). In Jenkins Jelly, <j:out> normally escapes content, but when wrapping localized messages containing embedded parameters (like it.summary), it may fail to properly escape parameters injected into HTML contexts within the message. The test case added in the commit verifies that raw HTML in display names is now escaped, confirming the XSS vector was in this rendering logic. The vulnerable code paths are the message rendering sections in description.jelly that handled user-controlled display names without adequate escaping.