diff --git a/local-static-provisioner.yaml b/local-static-provisioner.yaml
index d8b0e130fa9..ef40b77f8e6 100644
--- a/local-static-provisioner.yaml
+++ b/local-static-provisioner.yaml
@@ -1,7 +1,7 @@
 package:
   name: local-static-provisioner
   version: "2.8.0"
-  epoch: 6 # GHSA-j5w8-q4qc-rx2x
+  epoch: 7 # GHSA-r6j8-c6r2-37rr
   description: Static provisioner of local volumes
   copyright:
     - license: Apache-2.0
@@ -26,6 +26,9 @@ pipeline:
       repository: https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner
       tag: v${{package.version}}
       expected-commit: bc3d8238c205d8b32fcef4330a490555d53fe232
+      cherry-picks: |
+        master/2edb740e03b22a619e832176ba0d4c30ba1f9f92: fix CVE-2025-5187
+        master/fbbab741296e295136f60d1de5996ad7a9e90d02: fix CVE-2025-13281
 
   - uses: go/bump
     with: