This advisory addresses an Important security update for the `pcs` package in Red Hat Enterprise Linux 9, fixing CVE-2026-4800 (CVSS 8.1 High). The vulnerability is in the embedded lodash library, where versions prior to 4.17.21 are affected by an arbitrary code execution flaw via untrusted input in template imports. The fix is included in the updated `pcs` packages provided by Red Hat.
Red Hat Product Errata RHSA-2026:10710 - Security Advisory Issued: 2026-04-27 Updated: 2026-04-27 RHSA-2026:10710 - Security Advisory Overview Updated Packages Synopsis Important: pcs security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fix(es): lodash: lodash: Arbitrary code execution via untrusted input in template imports (CVE-2026-4800) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux High Availability for x86_64 9 x86_64 Red Hat Enterprise Linux High Availability for ARM 64 9 aarch64 Red Hat Enterprise Linux Resilient Storage for x86_64 9 x86_64 Red Hat Enterprise Linux Resilient Storage for IBM z Systems 9 s390x Red Hat Enterprise Linux High Availability for IBM z Systems 9 s390x Red Hat Enterprise Linux Resilient Storage for Power, little endian 9 ppc64le Red Hat Enterprise Linux High Availability for Power, little endian 9 ppc64le Fixes BZ - 2453496 - CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports CVEs CVE-2026-4800 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux High Availability for x86_64 9 SRPM pcs-0.11.10-1.el9_7.3.src.rpm SHA-256: 05e81807652bc2ac4a81593774d4b34725407e2ff1b2357b4e8fb2297a2391b3 x86_64 pcs-0.11.10-1.el9_7.3.x86_64.rpm SHA-256: 39c682969a15b16a07a5a644ae85f9068e54f86996e6c145c5d87d25d339344d pcs-snmp-0.11.10-1.el9_7.3.x86_64.rpm SHA-256: 2cba207b636f2ac07d6cd0f37610d4fffe0bf0ce7f60c41d27485f3815ee4390 Red Hat Enterprise Linux High Availability for ARM 64 9 SRPM pcs-0.11.10-1.el9_7.3.src.rpm SHA-256: 05e81807652bc2ac4a81593774d4b34725407e2ff1b2357b4e8fb2297a2391b3 aarch64 pcs-0.11.10-1.el9_7.3.aarch64.rpm SHA-256: 2ebef173f6e4e68b04c57a2507efae617de64d6b79a390ccfb3d931c53de0232 pcs-snmp-0.11.10-1.el9_7.3.aarch64.rpm SHA-256: 9704211ab4a197851751be88b3877d1db5137f0fb140ea241498e86cdd23f633 Red Hat Enterprise Linux Resilient Storage for x86_64 9 SRPM pcs-0.11.10-1.el9_7.3.src.rpm SHA-256: 05e81807652bc2ac4a81593774d4b34725407e2ff1b2357b4e8fb2297a2391b3 x86_64 pcs-0.11.10-1.el9_7.3.x86_64.rpm SHA-256: 39c682969a15b16a07a5a644ae85f9068e54f86996e6c145c5d87d25d339344d pcs-snmp-0.11.10-1.el9_7.3.x86_64.rpm SHA-256: 2cba207b636f2ac07d6cd0f37610d4fffe0bf0ce7f60c41d27485f3815ee4390 Red Hat Enterprise Linux Resilient Storage for IBM z Systems 9 SRPM pcs-0.11.10-1.el9_7.3.src.rpm SHA-256: 05e81807652bc2ac4a81593774d4b34725407e2ff1b2357b4e8fb2297a2391b3 s390x pcs-0.11.10-1.el9_7.3.s390x.rpm SHA-256: 361bf741fd9f41ce13d6810a3896f9c0ec40b3e826c521ee049a68f9f53ddcea pcs-snmp-0.11.10-1.el9_7.3.s390x.rpm SHA-256: 0d1b838d1da9331ee4e74e4318204bec73ce45882b65e08486f69bc0b0ebbbc5 Red Hat Enterprise Linux High Availability for IBM z Systems 9 SRPM pcs-0.11.10-1.el9_7.3.src.rpm SHA-256: 05e81807652bc2ac4a81593774d4b34725407e2ff1b2357b4e8fb2297a2391b3 s390x pcs-0.11.10-1.el9_7.3.s390x.rpm SHA-256: 361bf741fd9f41ce13d6810a3896f9c0ec40b3e826c521ee049a68f9f53ddcea pcs-snmp-0.11.10-1.el9_7.3.s390x.rpm SHA-256: 0d1b838d1da9331ee4e74e4318204bec73ce45882b65e08486f69bc0b0ebbbc5 Red Hat Enterprise Linux Resilient Storage for Power, little endian 9 SRPM pcs-0.11.10-1.el9_7.3.src.rpm SHA-256: 05e81807652bc2ac4a81593774d4b34725407e2ff1b2357b4e8fb2297a2391b3 ppc64le pcs-0.11.10-1.el9_7.3.ppc64le.rpm SHA-256: 6b900f621b7a37828ecff04a76f5e9e32096d17fe3f34500256276977612e259 pcs-snmp-0.11.10-1.el9_7.3.ppc64le.rpm SHA-256: 6c84ae16d97889f1dd145231d4f4fc8f1c92870a1c45c46c872cbbbe5b7d60dd Red Hat Enterprise Linux High Availability for Power, little endian 9 SRPM pcs-0.11.10-1.el9_7.3.src.rpm SHA-256: 05e81807652bc2ac4a81593774d4b34725407e2ff1b2357b4e8fb2297a2391b3 ppc64le pcs-0.11.10-1.el9_7.3.ppc64le.rpm SHA-256: 6b900f621b7a37828ecff04a76f5e9e32096d17fe3f34500256276977612e259 pcs-snmp-0.11.10-1.el9_7.3.ppc64le.rpm SHA-256: 6c84ae16d97889f1dd145231d4f4fc8f1c92870a1c45c46c872cbbbe5b7d60dd The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .