The vulnerability stems from unescaped Docker response values being rendered in the dashboard view. Jenkins plugins typically use Jelly templates for UI rendering, and Java classes to process data. The combination of 1) data ingestion from Docker API in Java code without sanitization, and 2) direct interpolation in Jelly templates without escaping utilities (like Jenkins' 'h' object) creates the XSS vector. While exact function names aren't disclosed, the pattern matches Jenkins plugin vulnerability paradigms for XSS in dashboard views.