If all Jenkins jobs are configured for polling of <URL of the Git repository>, then invoking curl on the following URL will spawn builds for all of the jobs:

http://yourserver/jenkins/git/notifyCommit?url=<URL of the Git repository>&sha1=<commit ID>

Since this URL doesn't require authentication even for secured Jenkins, any user can (accidentally) cause Denial of Service while all Jobs run for an arbitrary <commit ID>. There may be hundreds of jobs configured for polling, so this can clog up the build queue for a long time.