This update addresses two high-severity vulnerabilities in the `pcs` cluster management tool: CVE-2026-31958 (CVSS 7.5) is a DoS flaw in the Tornado web server via large multipart bodies, and CVE-2026-4800 (CVSS 8.1) allows arbitrary code execution in the lodash library via untrusted template input. The vulnerabilities affect `tornado` versions prior to 6.5.5 and `lodash`/`lodash-es`/`lodash-rails` versions prior to 4.17.21. Red Hat has released patched packages for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions to remediate these issues.
Red Hat Product Errata RHSA-2026:11454 - Security Advisory Issued: 2026-04-29 Updated: 2026-04-29 RHSA-2026:11454 - Security Advisory Overview Updated Packages Synopsis Important: pcs security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for pcs is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fix(es): tornado-python: Tornado: Denial of Service via large multipart bodies (CVE-2026-31958) lodash: lodash: Arbitrary code execution via untrusted input in template imports (CVE-2026-4800) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux High Availability for Power LE - Update Services for SAP Solutions 9.0 ppc64le Red Hat Enterprise Linux High Availability for x86_64 - Update Services for SAP Solutions 9.0 x86_64 Red Hat Enterprise Linux High Availability for ARM 64 - 4 years of updates 9.0 aarch64 Red Hat Enterprise Linux High Availability for IBM z Systems - 4 years of updates 9.0 s390x Red Hat Enterprise Linux Resilient Storage for x86_64 - 4 years of updates 9.0 x86_64 Red Hat Enterprise Linux Resilient Storage for Power, little endian - 4 years of updates 9.0 ppc64le Red Hat Enterprise Linux Resilient Storage for IBM z Systems - 4 years of updates 9.0 s390x Fixes BZ - 2446765 - CVE-2026-31958 tornado-python: Tornado: Denial of Service via large multipart bodies BZ - 2453496 - CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports CVEs CVE-2026-4800 CVE-2026-31958 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux High Availability for Power LE - Update Services for SAP Solutions 9.0 SRPM pcs-0.11.1-10.el9_0.11.src.rpm SHA-256: ae8298bff040384cdcf83ce5cf66c16a88eb3dae38feb8e7d66fa59faea5a510 ppc64le pcs-0.11.1-10.el9_0.11.ppc64le.rpm SHA-256: 79fa8d4f87e78abca8527be95e65ab3f3cb94b159b04868896082a9f193d989c pcs-snmp-0.11.1-10.el9_0.11.ppc64le.rpm SHA-256: 4d563c227009bcfa913c5303c67eb5f24eac1d26f20c13a9fb7ca3e842877fc2 Red Hat Enterprise Linux High Availability for x86_64 - Update Services for SAP Solutions 9.0 SRPM pcs-0.11.1-10.el9_0.11.src.rpm SHA-256: ae8298bff040384cdcf83ce5cf66c16a88eb3dae38feb8e7d66fa59faea5a510 x86_64 pcs-0.11.1-10.el9_0.11.x86_64.rpm SHA-256: dd4af79dd7d36e62e03798b13a4bb1365a4669c0a0a25f8c5b467fa3bdff713b pcs-snmp-0.11.1-10.el9_0.11.x86_64.rpm SHA-256: 1e3f517971bb8ec77b3cc1b2c211fbeabc6ad1720570c3455a84834e17f9e8aa Red Hat Enterprise Linux High Availability for ARM 64 - 4 years of updates 9.0 SRPM pcs-0.11.1-10.el9_0.11.src.rpm SHA-256: ae8298bff040384cdcf83ce5cf66c16a88eb3dae38feb8e7d66fa59faea5a510 aarch64 pcs-0.11.1-10.el9_0.11.aarch64.rpm SHA-256: c52ba8ee8cf916215b40fef0d858abdf808db5e780780478d10371c0b4e792cd pcs-snmp-0.11.1-10.el9_0.11.aarch64.rpm SHA-256: ff68ae2b7fc8fc194a92b37c7f58949f5d4b69f0f7267ed0fb4310863c09182f Red Hat Enterprise Linux High Availability for IBM z Systems - 4 years of updates 9.0 SRPM pcs-0.11.1-10.el9_0.11.src.rpm SHA-256: ae8298bff040384cdcf83ce5cf66c16a88eb3dae38feb8e7d66fa59faea5a510 s390x pcs-0.11.1-10.el9_0.11.s390x.rpm SHA-256: 6fffd190f25ec0ef5c97436f09a1475b9fbea700cf3548cb909524a3915f37c5 pcs-snmp-0.11.1-10.el9_0.11.s390x.rpm SHA-256: bd1c2b98bc6b08715a2a3dc837ba84b4df9a62b5b1abcaf6c50c51895d47fc81 Red Hat Enterprise Linux Resilient Storage for x86_64 - 4 years of updates 9.0 SRPM pcs-0.11.1-10.el9_0.11.src.rpm SHA-256: ae8298bff040384cdcf83ce5cf66c16a88eb3dae38feb8e7d66fa59faea5a510 x86_64 pcs-0.11.1-10.el9_0.11.x86_64.rpm SHA-256: dd4af79dd7d36e62e03798b13a4bb1365a4669c0a0a25f8c5b467fa3bdff713b pcs-snmp-0.11.1-10.el9_0.11.x86_64.rpm SHA-256: 1e3f517971bb8ec77b3cc1b2c211fbeabc6ad1720570c3455a84834e17f9e8aa Red Hat Enterprise Linux Resilient Storage for Power, little endian - 4 years of updates 9.0 SRPM pcs-0.11.1-10.el9_0.11.src.rpm SHA-256: ae8298bff040384cdcf83ce5cf66c16a88eb3dae38feb8e7d66fa59faea5a510 ppc64le pcs-0.11.1-10.el9_0.11.ppc64le.rpm SHA-256: 79fa8d4f87e78abca8527be95e65ab3f3cb94b159b04868896082a9f193d989c pcs-snmp-0.11.1-10.el9_0.11.ppc64le.rpm SHA-256: 4d563c227009bcfa913c5303c67eb5f24eac1d26f20c13a9fb7ca3e842877fc2 Red Hat Enterprise Linux Resilient Storage for IBM z Systems - 4 years of updates 9.0 SRPM pcs-0.11.1-10.el9_0.11.src.rpm SHA-256: ae8298bff040384cdcf83ce5cf66c16a88eb3dae38feb8e7d66fa59faea5a510 s390x pcs-0.11.1-10.el9_0.11.s390x.rpm SHA-256: 6fffd190f25ec0ef5c97436f09a1475b9fbea700cf3548cb909524a3915f37c5 pcs-snmp-0.11.1-10.el9_0.11.s390x.rpm SHA-256: bd1c2b98bc6b08715a2a3dc837ba84b4df9a62b5b1abcaf6c50c51895d47fc81 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .