An issue exists in ThoughtWorks GoCD prior to 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report.
thoughtworks gocd