When having a pull request title which contains quotes the title is put into the build description unescaped which actually allows XSS (e. g. execute a task in the name of a different user).

At first glance it only corrupts the output: