diff --git a/Dockerfile b/Dockerfile
index 375ab94c1..7a2d2dde5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -55,6 +55,8 @@ RUN echo "@main https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /etc/a
     openssl \
     openssl-dev \
     openjdk21-jre \
+    # Security updates
+    libjxl@testing \
     # Doc conversion
     gcompat \
     libc6-compat \
diff --git a/Dockerfile.fat b/Dockerfile.fat
index fda3d89c4..b1f86d92f 100644
--- a/Dockerfile.fat
+++ b/Dockerfile.fat
@@ -69,6 +69,8 @@ RUN echo "@main https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /etc/a
     openssl \
     openssl-dev \
     openjdk21-jre \
+    # Security updates
+    libjxl@testing \
     # Doc conversion
     gcompat \
     libc6-compat \
diff --git a/Dockerfile.ultra-lite b/Dockerfile.ultra-lite
index acc62b93b..f2b1107de 100644
--- a/Dockerfile.ultra-lite
+++ b/Dockerfile.ultra-lite
@@ -36,7 +36,9 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /et
         curl \
         shadow \
         su-exec \
-        openjdk21-jre && \
+        openjdk21-jre \
+        # Security updates
+        libjxl@testing && \
     # User permissions
     mkdir -p /configs /logs /customFiles /usr/share/fonts/opentype/noto /tmp/stirling-pdf /pipeline/watchedFolders /pipeline/finishedFolders && \
     chmod +x /scripts/*.sh && \
diff --git a/app/proprietary/build.gradle b/app/proprietary/build.gradle
index 80b61438a..fdc92a2e5 100644
--- a/app/proprietary/build.gradle
+++ b/app/proprietary/build.gradle
@@ -56,6 +56,9 @@ dependencies {
         implementation "org.opensaml:opensaml-core:$openSamlVersion"
         implementation "org.opensaml:opensaml-saml-api:$openSamlVersion"
         implementation "org.opensaml:opensaml-saml-impl:$openSamlVersion"
+        // Security vulnerability fixes - remove when parent dependencies update
+        implementation 'com.nimbusds:nimbus-jose-jwt:10.0.2' // CVE-2025-53864 - from spring-boot-starter-oauth2-client
+        implementation 'com.google.guava:guava:33.4.8-jre' // CVE-2023-2976, CVE-2020-8908 - from OpenSAML dependencies above
     }
     implementation 'com.coveo:saml-client:5.0.0'
 }
diff --git a/build.gradle b/build.gradle
index 554d92689..02103eed1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -128,6 +128,13 @@ subprojects {
         imports {
             mavenBom "org.springframework.boot:spring-boot-dependencies:$springBootVersion"
         }
+        dependencies {
+            // Security vulnerability fixes - remove when Spring Security updates these
+            dependency 'com.nimbusds:nimbus-jose-jwt:10.0.2' // CVE-2025-53864 - from spring-boot-starter-oauth2-client
+            dependency 'com.google.guava:guava:33.4.8-jre' // CVE-2023-2976, CVE-2020-8908 - from OpenSAML dependencies
+            dependency 'commons-io:commons-io:2.14.0' // CVE-2024-47554 - from various dependencies
+            dependency 'org.apache.commons:commons-lang3:3.18.0' // CVE-2025-48924 - from transitive dependencies
+        }
     }
 
     dependencies {