Issued at: 2026-06-11
Updated at: 2026-06-11
Synopsis
Important: cockpit-image-builder security update
Description
The image-builder-frontend generates custom images suitable for deploying systems or uploading to the cloud. It integrates into Cockpit as a frontend for osbuild.
Security Fix(es):
* lodash: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)
* lodash: lodash: Arbitrary code execution via untrusted input in template imports (CVE-2026-4800)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected products
Rocky Linux 10 aarch64
Rocky Linux 10 ppc64le
Rocky Linux 10 riscv64
Rocky Linux 10 s390x
Rocky Linux 10 x86_64
Fixes
2453496
2431740
CVEs
CVE-2025-13465
CVE-2026-4800
Affected packages
Rocky Linux 10 aarch64 - AppStream
cockpit-image-builder-0:94.3-1.el10_2.src.rpm
cockpit-image-builder-0:94.3-1.el10_2.noarch.rpm
Rocky Linux 10 ppc64le - AppStream
cockpit-image-builder-0:94.3-1.el10_2.src.rpm
cockpit-image-builder-0:94.3-1.el10_2.noarch.rpm
Rocky Linux 10 riscv64 - AppStream
cockpit-image-builder-0:94.3-1.el10_2.src.rpm
cockpit-image-builder-0:94.3-1.el10_2.noarch.rpm
Rocky Linux 10 s390x - AppStream
cockpit-image-builder-0:94.3-1.el10_2.src.rpm
cockpit-image-builder-0:94.3-1.el10_2.noarch.rpm
Rocky Linux 10 x86_64 - AppStream
cockpit-image-builder-0:94.3-1.el10_2.src.rpm
cockpit-image-builder-0:94.3-1.el10_2.noarch.rpm