VYPR
← All advisories
Medium severity4.6OSV Advisory· Published Jul 30, 2024· Updated Apr 15, 2026

CVE-2024-41943

CVE-2024-41943

Description

I, Librarian is an open-source version of a PDF managing SaaS. PDF notes are displayed on the Item Summary page without any form of validation or sanitation. An attacker can exploit this vulnerability by inserting a payload in the PDF notes that contains malicious code or script. This code will then be executed when the page is loaded in the browser. The vulnerability was fixed in version 5.11.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in I, Librarian via unsanitized PDF notes allows attackers to execute arbitrary JavaScript when viewing item summary pages.

Vulnerability

CVE-2024-41943 is a stored cross-site scripting (XSS) vulnerability in I, Librarian, an open-source PDF management application. The vulnerability exists because PDF notes are displayed on the Item Summary page without any validation or sanitization [1][2]. This allows an attacker to inject malicious HTML or JavaScript code into the notes field.

Exploitation

An attacker who can create or modify PDF notes (e.g., a user with access to the application) can insert a crafted payload. When any user views the affected Item Summary page, the payload is executed in the context of the victim's browser [2]. No additional user interaction beyond viewing the page is required.

Impact

Successful exploitation leads to arbitrary script execution, which can be used to steal session cookies, exfiltrate sensitive data, perform actions on behalf of the victim, or deface the application interface [2]. The CVSS v3 base score is 4.6 (Medium), reflecting the need for some privileges and the potential for scope change.

Mitigation

The vulnerability has been patched in version 5.11.1 of I, Librarian [1][2]. Users are strongly advised to upgrade to this version or later. No workarounds are documented.

References
  1. XSS bug · mkucej/i-librarian-free@b457010
  2. Stored XSS vulnerability in Item Summary

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
b4570103d21f
https://github.com/mkucej/i-librarian-freevia osv
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.