Jenkins build-metrics has a reflected cross-site scripting vulnerability. Plugin allows attackers to inject arbitrary HTML and JavaScript into the plugin’s web pages.