A critical vulnerability (CVE-2026-4800, CVSS 8.1 High) in the lodash library bundled with the pcs cluster management tool allows arbitrary code execution via untrusted input in template imports. The underlying lodash library is affected in versions prior to 4.17.21, and the fix requires updating the pcs packages provided by Red Hat. Red Hat Enterprise Linux 10.0 Extended Update Support users should apply the provided pcs security update immediately.
Red Hat Product Errata RHSA-2026:11470 - Security Advisory Issued: 2026-04-29 Updated: 2026-04-29 RHSA-2026:11470 - Security Advisory Overview Updated Packages Synopsis Important: pcs security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fix(es): lodash: lodash: Arbitrary code execution via untrusted input in template imports (CVE-2026-4800) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux High Availability for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux High Availability (for IBM z Systems) - Extended Update Support 10.0 s390x Red Hat Enterprise Linux High Availability (for ARM 64) - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux High Availability for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux High Availability for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux High Availability for Power, little endian - 4 years of updates 10.0 ppc64le Red Hat Enterprise Linux High Availability for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2453496 - CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports CVEs CVE-2026-4800 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support 10.0 SRPM pcs-0.12.0-3.el10_0.5.src.rpm SHA-256: 513c213b263a6bb5cbad36d3a2792a20ff17cf92772b3453bdccbec473d27f1e x86_64 cockpit-ha-cluster-0.12.0-3.el10_0.5.noarch.rpm SHA-256: f6daf36e6c2417fe5af5089247dea0d67fd64d56707fd5c8a26883f57015fb91 pcs-0.12.0-3.el10_0.5.x86_64.rpm SHA-256: f2c4a8f29785613ac46021565855965e337da66a275b299cb0d625e77e6536cb pcs-snmp-0.12.0-3.el10_0.5.x86_64.rpm SHA-256: b8c9e923ca45801bbf1176bc4873ece5d1af60463526ce3b5bc49fc7e8afa7be Red Hat Enterprise Linux High Availability for Power, little endian - Extended Update Support 10.0 SRPM pcs-0.12.0-3.el10_0.5.src.rpm SHA-256: 513c213b263a6bb5cbad36d3a2792a20ff17cf92772b3453bdccbec473d27f1e ppc64le cockpit-ha-cluster-0.12.0-3.el10_0.5.noarch.rpm SHA-256: f6daf36e6c2417fe5af5089247dea0d67fd64d56707fd5c8a26883f57015fb91 pcs-0.12.0-3.el10_0.5.ppc64le.rpm SHA-256: 23a8cc48888dde39a2ad04165aebe741b579811a17d648578320459d492e547a pcs-snmp-0.12.0-3.el10_0.5.ppc64le.rpm SHA-256: 05c6a826f1dc17ea3e2b2583b1b470444719c1e5534d4470f53bd7407828c296 Red Hat Enterprise Linux High Availability (for IBM z Systems) - Extended Update Support 10.0 SRPM pcs-0.12.0-3.el10_0.5.src.rpm SHA-256: 513c213b263a6bb5cbad36d3a2792a20ff17cf92772b3453bdccbec473d27f1e s390x cockpit-ha-cluster-0.12.0-3.el10_0.5.noarch.rpm SHA-256: f6daf36e6c2417fe5af5089247dea0d67fd64d56707fd5c8a26883f57015fb91 pcs-0.12.0-3.el10_0.5.s390x.rpm SHA-256: 2f55beff4c2af18efb037f49ed411a191b4b30841e8e91f6315d63da5bf1fa12 pcs-snmp-0.12.0-3.el10_0.5.s390x.rpm SHA-256: 2c062a218508e8bda7793dbafe2457aea5df181c08ee18c13307c8b727e84199 Red Hat Enterprise Linux High Availability (for ARM 64) - Extended Update Support 10.0 SRPM pcs-0.12.0-3.el10_0.5.src.rpm SHA-256: 513c213b263a6bb5cbad36d3a2792a20ff17cf92772b3453bdccbec473d27f1e aarch64 cockpit-ha-cluster-0.12.0-3.el10_0.5.noarch.rpm SHA-256: f6daf36e6c2417fe5af5089247dea0d67fd64d56707fd5c8a26883f57015fb91 pcs-0.12.0-3.el10_0.5.aarch64.rpm SHA-256: b5006f40fd1604f7bac7b848fe28773a43c5a6784bcf15afbdc28584cc4ad85f pcs-snmp-0.12.0-3.el10_0.5.aarch64.rpm SHA-256: ad3a1274f8a762dce1c795b38ef62873290ff778bcf6e21cc1cee608fec90e4c Red Hat Enterprise Linux High Availability for ARM 64 - 4 years of updates 10.0 SRPM pcs-0.12.0-3.el10_0.5.src.rpm SHA-256: 513c213b263a6bb5cbad36d3a2792a20ff17cf92772b3453bdccbec473d27f1e aarch64 cockpit-ha-cluster-0.12.0-3.el10_0.5.noarch.rpm SHA-256: f6daf36e6c2417fe5af5089247dea0d67fd64d56707fd5c8a26883f57015fb91 pcs-0.12.0-3.el10_0.5.aarch64.rpm SHA-256: b5006f40fd1604f7bac7b848fe28773a43c5a6784bcf15afbdc28584cc4ad85f pcs-snmp-0.12.0-3.el10_0.5.aarch64.rpm SHA-256: ad3a1274f8a762dce1c795b38ef62873290ff778bcf6e21cc1cee608fec90e4c Red Hat Enterprise Linux High Availability for IBM z Systems - 4 years of updates 10.0 SRPM pcs-0.12.0-3.el10_0.5.src.rpm SHA-256: 513c213b263a6bb5cbad36d3a2792a20ff17cf92772b3453bdccbec473d27f1e s390x cockpit-ha-cluster-0.12.0-3.el10_0.5.noarch.rpm SHA-256: f6daf36e6c2417fe5af5089247dea0d67fd64d56707fd5c8a26883f57015fb91 pcs-0.12.0-3.el10_0.5.s390x.rpm SHA-256: 2f55beff4c2af18efb037f49ed411a191b4b30841e8e91f6315d63da5bf1fa12 pcs-snmp-0.12.0-3.el10_0.5.s390x.rpm SHA-256: 2c062a218508e8bda7793dbafe2457aea5df181c08ee18c13307c8b727e84199 Red Hat Enterprise Linux High Availability for Power, little endian - 4 years of updates 10.0 SRPM pcs-0.12.0-3.el10_0.5.src.rpm SHA-256: 513c213b263a6bb5cbad36d3a2792a20ff17cf92772b3453bdccbec473d27f1e ppc64le cockpit-ha-cluster-0.12.0-3.el10_0.5.noarch.rpm SHA-256: f6daf36e6c2417fe5af5089247dea0d67fd64d56707fd5c8a26883f57015fb91 pcs-0.12.0-3.el10_0.5.ppc64le.rpm SHA-256: 23a8cc48888dde39a2ad04165aebe741b579811a17d648578320459d492e547a pcs-snmp-0.12.0-3.el10_0.5.ppc64le.rpm SHA-256: 05c6a826f1dc17ea3e2b2583b1b470444719c1e5534d4470f53bd7407828c296 Red Hat Enterprise Linux High Availability for x86_64 - 4 years of updates 10.0 SRPM pcs-0.12.0-3.el10_0.5.src.rpm SHA-256: 513c213b263a6bb5cbad36d3a2792a20ff17cf92772b3453bdccbec473d27f1e x86_64 cockpit-ha-cluster-0.12.0-3.el10_0.5.noarch.rpm SHA-256: f6daf36e6c2417fe5af5089247dea0d67fd64d56707fd5c8a26883f57015fb91 pcs-0.12.0-3.el10_0.5.x86_64.rpm SHA-256: f2c4a8f29785613ac46021565855965e337da66a275b299cb0d625e77e6536cb pcs-snmp-0.12.0-3.el10_0.5.x86_64.rpm SHA-256: b8c9e923ca45801bbf1176bc4873ece5d1af60463526ce3b5bc49fc7e8afa7be The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .