diff --git a/app/common/build.gradle b/app/common/build.gradle
index be7016aaa..4168003cb 100644
--- a/app/common/build.gradle
+++ b/app/common/build.gradle
@@ -29,7 +29,7 @@ spotless {
 dependencies {
     api 'org.springframework.boot:spring-boot-starter-webmvc'
     api 'org.springframework.boot:spring-boot-starter-aspectj'
-    api 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20240325.1'
+    api 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20260102.1'
     api 'com.fathzer:javaluator:3.0.6'
     api 'com.posthog.java:posthog:1.2.0'
     api 'org.apache.commons:commons-lang3:3.20.0'
@@ -39,7 +39,7 @@ dependencies {
     api "org.apache.pdfbox:pdfbox-io:$pdfboxVersion"
     api "org.apache.pdfbox:xmpbox:$pdfboxVersion"
     api "org.apache.pdfbox:preflight:$pdfboxVersion"
-    api 'com.github.junrar:junrar:7.5.7' // RAR archive support for CBR files
+    api 'com.github.junrar:junrar:7.5.8' // RAR archive support for CBR files
     api 'jakarta.servlet:jakarta.servlet-api:6.1.0'
     api 'org.snakeyaml:snakeyaml-engine:3.0.1'
     api "org.springdoc:springdoc-openapi-starter-webmvc-ui:3.0.1"
diff --git a/app/core/build.gradle b/app/core/build.gradle
index 329e2e23e..ae2faf31e 100644
--- a/app/core/build.gradle
+++ b/app/core/build.gradle
@@ -77,7 +77,7 @@ dependencies {
 
     implementation 'org.verapdf:validation-model:1.28.2'
     // CVE-2025-66453: Explicit rhino 1.7.15 to override verapdf's 1.7.13
-    implementation 'org.mozilla:rhino:1.7.15'
+    implementation 'org.mozilla:rhino:1.9.1'
 
     // veraPDF still uses javax.xml.bind, not the new jakarta namespace
     implementation 'javax.xml.bind:jaxb-api:2.3.1'
@@ -92,7 +92,7 @@ dependencies {
         exclude group: 'com.google.code.gson', module: 'gson'
     }
     // CVE-2022-25647: Explicit gson 2.8.9 to prevent unsafe deserialization (tabula would pull 2.8.7)
-    implementation 'com.google.code.gson:gson:2.8.9'
+    implementation 'com.google.code.gson:gson:2.13.2'
     implementation 'org.apache.pdfbox:jbig2-imageio:3.0.4'
     implementation 'com.opencsv:opencsv:5.12.0' // https://mvnrepository.com/artifact/com.opencsv/opencsv
     implementation 'org.apache.poi:poi-ooxml:5.5.1'
diff --git a/app/proprietary/build.gradle b/app/proprietary/build.gradle
index 4407ca63e..ce5c926a0 100644
--- a/app/proprietary/build.gradle
+++ b/app/proprietary/build.gradle
@@ -49,20 +49,20 @@ dependencies {
     api 'org.springframework.boot:spring-boot-starter-mail'
     api 'org.springframework.boot:spring-boot-starter-cache'
     api 'com.github.ben-manes.caffeine:caffeine'
-    api 'io.swagger.core.v3:swagger-core-jakarta:2.2.42'
-    implementation 'com.bucket4j:bucket4j_jdk17-core:8.15.0'
+    api 'io.swagger.core.v3:swagger-core-jakarta:2.2.43'
+    implementation 'com.bucket4j:bucket4j_jdk17-core:8.16.1'
 
     // https://mvnrepository.com/artifact/com.bucket4j/bucket4j_jdk17
     implementation "org.bouncycastle:bcprov-jdk18on:$bouncycastleVersion"
 
     api 'io.micrometer:micrometer-registry-prometheus'
-    implementation 'com.unboundid.product.scim2:scim2-sdk-client:4.1.0'
+    implementation 'com.unboundid.product.scim2:scim2-sdk-client:5.0.0'
 
     api "io.jsonwebtoken:jjwt-api:$jwtVersion"
     runtimeOnly "io.jsonwebtoken:jjwt-impl:$jwtVersion"
     runtimeOnly "io.jsonwebtoken:jjwt-jackson:$jwtVersion"
     runtimeOnly 'com.h2database:h2:2.3.232' // Don't upgrade h2database
-    runtimeOnly 'org.postgresql:postgresql:42.7.9'
+    runtimeOnly 'org.postgresql:postgresql:42.7.10'
     constraints {
         implementation "org.opensaml:opensaml-core:$openSamlVersion"
         implementation "org.opensaml:opensaml-saml-api:$openSamlVersion"
diff --git a/build.gradle b/build.gradle
index bab884a60..e3bd51554 100644
--- a/build.gradle
+++ b/build.gradle
@@ -22,14 +22,14 @@ import org.gradle.jvm.toolchain.JavaLanguageVersion
 ext {
     springBootVersion = "4.0.3"
     pdfboxVersion = "3.0.6"
-    imageioVersion = "3.13.0"
+    imageioVersion = "3.13.1"
     lombokVersion = "1.18.42"
     bouncycastleVersion = "1.83"
     springSecuritySamlVersion = "7.0.2"
     openSamlVersion = "4.3.2"
     commonmarkVersion = "0.27.1"
     googleJavaFormatVersion = "1.34.1"
-    logback = "1.5.28"
+    logback = "1.5.32"
     junitPlatformVersion = "1.12.2"
     modernJavaVersion = 21
 }
@@ -194,8 +194,8 @@ subprojects {
         // - CVE-2022-25647: gson 2.8.9+ (explicit dependency overrides tabula 2.8.7)
         // - CVE-2025-66453: rhino 1.7.15 (explicit dependency overrides verapdf 1.7.13)
         // Fallback strategy force declarations for additional safety:
-        resolutionStrategy.force 'com.google.code.gson:gson:2.8.9'
-        resolutionStrategy.force 'org.mozilla:rhino:1.7.15'
+        resolutionStrategy.force 'com.google.code.gson:gson:2.13.2'
+        resolutionStrategy.force 'org.mozilla:rhino:1.9.1'
         // CVE-2025-48924: commons-lang3 3.20.0 DoS prevention
         resolutionStrategy.force 'org.apache.commons:commons-lang3:3.20.0'
         // CVE-2024-47554: commons-io 2.21.0 DoS prevention