A critical vulnerability (CVE-2026-4800, CVSS 8.1 HIGH) in the lodash library used by the `pcs` cluster management tool allows arbitrary code execution via untrusted input in template imports. The vulnerability affects lodash versions prior to 4.17.21, lodash-es prior to 4.17.21, lodash-rails prior to 4.17.21, and lodash.template up to and including 4.5.0. Red Hat has released a security update for `pcs` to address this issue by incorporating the fixed lodash version 4.17.21.
Red Hat Product Errata RHSA-2026:11469 - Security Advisory Issued: 2026-04-29 Updated: 2026-04-29 RHSA-2026:11469 - Security Advisory Overview Updated Packages Synopsis Important: pcs security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fix(es): lodash: lodash: Arbitrary code execution via untrusted input in template imports (CVE-2026-4800) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux High Availability for Power LE - Update Services for SAP Solutions 9.2 ppc64le Red Hat Enterprise Linux High Availability for x86_64 - Update Services for SAP Solutions 9.2 x86_64 Red Hat Enterprise Linux High Availability for ARM 64 - 4 years of updates 9.2 aarch64 Red Hat Enterprise Linux High Availability for IBM z Systems - 4 years of updates 9.2 s390x Red Hat Enterprise Linux Resilient Storage for x86_64 - 4 years of updates 9.2 x86_64 Red Hat Enterprise Linux Resilient Storage for Power, little endian - 4 years of updates 9.2 ppc64le Red Hat Enterprise Linux Resilient Storage for IBM z Systems - 4 years of updates 9.2 s390x Red Hat Enterprise Linux High Availability for x86_64 - Advanced Update Support 9.2 x86_64 Red Hat Enterprise Linux High Availability for ARM 64 - Extended Life Cycle 9.2 aarch64 Red Hat Enterprise Linux High Availability for Power, little endian - Extended Life Cycle 9.2 ppc64le Red Hat Enterprise Linux High Availability for IBM z Systems - Extended Life Cycle 9.2 s390x Red Hat Enterprise Linux High Availability for x86_64 - Extended Life Cycle 9.2 x86_64 Red Hat Enterprise Linux Resilient Storage for Power, little endian - Extended Life Cycle 9.2 ppc64le Red Hat Enterprise Linux Resilient Storage for IBM z Systems - Extended Life Cycle 9.2 s390x Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Life Cycle 9.2 x86_64 Fixes BZ - 2453496 - CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports CVEs CVE-2026-4800 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux High Availability for Power LE - Update Services for SAP Solutions 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 ppc64le pcs-0.11.4-7.el9_2.8.ppc64le.rpm SHA-256: 955dfb68cc5f5919eb2734ddcc81e3c1c3d2dc13248f3b400d72e273d1fa91fe pcs-snmp-0.11.4-7.el9_2.8.ppc64le.rpm SHA-256: 09d06c1911db80d328338afe7c4e47c668908650fcf98b780fcdb1a90b661e41 Red Hat Enterprise Linux High Availability for x86_64 - Update Services for SAP Solutions 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 x86_64 pcs-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: b10fcbfa27cdd5e4da17c21f2e0c1c22204a94aed2dcee52830775bd9b601ee6 pcs-snmp-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: ed1c3ae512fa73ae7c274cb3728b225152232336afaaf5f8c004d48d37ba32d6 Red Hat Enterprise Linux High Availability for ARM 64 - 4 years of updates 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 aarch64 pcs-0.11.4-7.el9_2.8.aarch64.rpm SHA-256: f7fc38b8b5ce4651e6ad96b75de33a950201967f5eb59f8bc86e48a17f57d2ed pcs-snmp-0.11.4-7.el9_2.8.aarch64.rpm SHA-256: 8dd7861621fbfc5b575009c113a9ec9a2c96e37c5ad2f0219801ee898495fd97 Red Hat Enterprise Linux High Availability for IBM z Systems - 4 years of updates 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 s390x pcs-0.11.4-7.el9_2.8.s390x.rpm SHA-256: e48fbf26b111b55fee87f97a5be55b3183fcbb048df31eeb00f97453db89fd96 pcs-snmp-0.11.4-7.el9_2.8.s390x.rpm SHA-256: 199be8fc77929253a7d5d4ca62e76f7d1aad3e1a279bb4dfc7a1a95f1baf1c41 Red Hat Enterprise Linux Resilient Storage for x86_64 - 4 years of updates 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 x86_64 pcs-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: b10fcbfa27cdd5e4da17c21f2e0c1c22204a94aed2dcee52830775bd9b601ee6 pcs-snmp-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: ed1c3ae512fa73ae7c274cb3728b225152232336afaaf5f8c004d48d37ba32d6 Red Hat Enterprise Linux Resilient Storage for Power, little endian - 4 years of updates 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 ppc64le pcs-0.11.4-7.el9_2.8.ppc64le.rpm SHA-256: 955dfb68cc5f5919eb2734ddcc81e3c1c3d2dc13248f3b400d72e273d1fa91fe pcs-snmp-0.11.4-7.el9_2.8.ppc64le.rpm SHA-256: 09d06c1911db80d328338afe7c4e47c668908650fcf98b780fcdb1a90b661e41 Red Hat Enterprise Linux Resilient Storage for IBM z Systems - 4 years of updates 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 s390x pcs-0.11.4-7.el9_2.8.s390x.rpm SHA-256: e48fbf26b111b55fee87f97a5be55b3183fcbb048df31eeb00f97453db89fd96 pcs-snmp-0.11.4-7.el9_2.8.s390x.rpm SHA-256: 199be8fc77929253a7d5d4ca62e76f7d1aad3e1a279bb4dfc7a1a95f1baf1c41 Red Hat Enterprise Linux High Availability for x86_64 - Advanced Update Support 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 x86_64 pcs-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: b10fcbfa27cdd5e4da17c21f2e0c1c22204a94aed2dcee52830775bd9b601ee6 pcs-snmp-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: ed1c3ae512fa73ae7c274cb3728b225152232336afaaf5f8c004d48d37ba32d6 Red Hat Enterprise Linux High Availability for ARM 64 - Extended Life Cycle 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 aarch64 pcs-0.11.4-7.el9_2.8.aarch64.rpm SHA-256: f7fc38b8b5ce4651e6ad96b75de33a950201967f5eb59f8bc86e48a17f57d2ed pcs-snmp-0.11.4-7.el9_2.8.aarch64.rpm SHA-256: 8dd7861621fbfc5b575009c113a9ec9a2c96e37c5ad2f0219801ee898495fd97 Red Hat Enterprise Linux High Availability for Power, little endian - Extended Life Cycle 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 ppc64le pcs-0.11.4-7.el9_2.8.ppc64le.rpm SHA-256: 955dfb68cc5f5919eb2734ddcc81e3c1c3d2dc13248f3b400d72e273d1fa91fe pcs-snmp-0.11.4-7.el9_2.8.ppc64le.rpm SHA-256: 09d06c1911db80d328338afe7c4e47c668908650fcf98b780fcdb1a90b661e41 Red Hat Enterprise Linux High Availability for IBM z Systems - Extended Life Cycle 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 s390x pcs-0.11.4-7.el9_2.8.s390x.rpm SHA-256: e48fbf26b111b55fee87f97a5be55b3183fcbb048df31eeb00f97453db89fd96 pcs-snmp-0.11.4-7.el9_2.8.s390x.rpm SHA-256: 199be8fc77929253a7d5d4ca62e76f7d1aad3e1a279bb4dfc7a1a95f1baf1c41 Red Hat Enterprise Linux High Availability for x86_64 - Extended Life Cycle 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 x86_64 pcs-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: b10fcbfa27cdd5e4da17c21f2e0c1c22204a94aed2dcee52830775bd9b601ee6 pcs-snmp-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: ed1c3ae512fa73ae7c274cb3728b225152232336afaaf5f8c004d48d37ba32d6 Red Hat Enterprise Linux Resilient Storage for Power, little endian - Extended Life Cycle 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 ppc64le pcs-0.11.4-7.el9_2.8.ppc64le.rpm SHA-256: 955dfb68cc5f5919eb2734ddcc81e3c1c3d2dc13248f3b400d72e273d1fa91fe pcs-snmp-0.11.4-7.el9_2.8.ppc64le.rpm SHA-256: 09d06c1911db80d328338afe7c4e47c668908650fcf98b780fcdb1a90b661e41 Red Hat Enterprise Linux Resilient Storage for IBM z Systems - Extended Life Cycle 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 s390x pcs-0.11.4-7.el9_2.8.s390x.rpm SHA-256: e48fbf26b111b55fee87f97a5be55b3183fcbb048df31eeb00f97453db89fd96 pcs-snmp-0.11.4-7.el9_2.8.s390x.rpm SHA-256: 199be8fc77929253a7d5d4ca62e76f7d1aad3e1a279bb4dfc7a1a95f1baf1c41 Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Life Cycle 9.2 SRPM pcs-0.11.4-7.el9_2.8.src.rpm SHA-256: 3752701b29f150e8197de62b9628e904f6fd7bcd5dfbdfd1cf6b50522c970e55 x86_64 pcs-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: b10fcbfa27cdd5e4da17c21f2e0c1c22204a94aed2dcee52830775bd9b601ee6 pcs-snmp-0.11.4-7.el9_2.8.x86_64.rpm SHA-256: ed1c3ae512fa73ae7c274cb3728b225152232336afaaf5f8c004d48d37ba32d6 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .