diff --git a/build.gradle b/build.gradle
index 1ffa4c81aa..2e1685cb79 100644
--- a/build.gradle
+++ b/build.gradle
@@ -246,6 +246,8 @@ allprojects {
// force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr
force "org.apache.httpcomponents:httpcore:${httpcoreVersion}"
force "org.apache.httpcomponents.core5:httpcore5:${httpcore5Version}"
+ // httpcore5-h2 arrives transitively (not pinned before); force to the fixed version for CVE-2026-54399
+ force "org.apache.httpcomponents.core5:httpcore5-h2:${httpcore5Version}"
// force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr
force "org.apache.httpcomponents:httpclient:${httpclientVersion}"
force "org.apache.httpcomponents.client5:httpclient5:${httpclient5Version}"
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 4b696b82a5..92db6ed994 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -437,5 +437,25 @@
^pkg:maven/com\.networknt/json-schema-validator@.*$
CVE-2025-15104
+
+
+
+ ^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$
+ CVE-2026-54399
+
+
+
+
+ ^pkg:maven/org\.jetbrains\.kotlin/.*@.*$
+ CVE-2026-53914
+
diff --git a/gradle.properties b/gradle.properties
index 696d65f97e..d1d3167cbf 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -96,8 +96,8 @@ apacheDirectoryVersion=2.1.7
#Transitive dependency of Apache directory
apacheMinaVersion=2.2.7
-# Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=11.0.22
+# Intentionally held ahead of the Tomcat version Spring Boot manages (SB 4.0.6 -> 11.0.21, 4.0.7 -> 11.0.22, both affected by CVE-2026-53434/-55276 et al.). Keep at 11.0.23+ until a Spring Boot release ships a patched Tomcat. (see springBootVersion below)
+apacheTomcatVersion=11.0.23
# (mothership) -> json-path -> json-smart -> accessor-smart
# (core) -> graalvm
@@ -185,7 +185,7 @@ hamcrestVersion=2.2
htsjdkVersion=4.3.0
httpclient5Version=5.5.2
-httpcore5Version=5.4.2
+httpcore5Version=5.4.3
# Not used directly, but these are widely used transitive dependencies
httpclientVersion=4.5.14
@@ -194,9 +194,9 @@ httpcoreVersion=4.4.16
intellijKotlinVersion=2.3.10
# Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others
-jacksonVersion=2.21.4
-jacksonDatabindVersion=2.21.4
-jacksonJaxrsBaseVersion=2.21.4
+jacksonVersion=2.21.5
+jacksonDatabindVersion=2.21.5
+jacksonJaxrsBaseVersion=2.21.5
# Note the inconsistent version numbering for "annotations"... it no longer matches the above
jacksonAnnotationsVersion=2.21
@@ -300,7 +300,7 @@ slf4jLog4jApiVersion=2.0.18
# This is a dependency for HTSJDK. Force version for CVE-2023-43642
snappyJavaVersion=1.1.10.8
-# Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version
+# Note: apacheTomcatVersion above is intentionally held ahead of Spring Boot's managed Tomcat for CVE remediation (see the comment there)
springBootVersion=4.0.6
# This usually matches the Spring Framework version dictated by springBootVersion
springVersion=7.0.7