diff --git a/cspell.json b/cspell.json
index 2d1797b..938ba30 100644
--- a/cspell.json
+++ b/cspell.json
@@ -12,6 +12,7 @@
     "ERRFD",
     "extglob",
     "hadolint",
+    "libgnutls",
     "ltrimstr",
     "luacheck",
     "luarocks",
diff --git a/images/ci-tools/.trivyignore b/images/ci-tools/.trivyignore
index b28a141..42370b6 100644
--- a/images/ci-tools/.trivyignore
+++ b/images/ci-tools/.trivyignore
@@ -5,11 +5,11 @@
 
 # Go stdlib CVEs — waiting on upstream releases built with a patched Go toolchain.
 #
-# actionlint v1.7.12 and shfmt v3.13.1 are both built with Go 1.26.1.
-# Both are offline lint/format tools that operate on local files: they do
-# not parse untrusted URLs, build or validate X.509 chains against
-# untrusted input, or open TLS sessions to untrusted peers, so the
-# practical risk for the entries below is negligible.
+# actionlint v1.7.12 and shfmt v3.13.1 are built with Go 1.26.1; yq v4.53.2
+# is built with Go 1.26.2. All three are offline lint/format tools that
+# operate on local files: they do not parse untrusted URLs, build or validate
+# X.509 chains against untrusted input, or open TLS sessions to untrusted
+# peers, so the practical risk for the entries below is negligible.
 
 # crypto/x509: chain building does unbounded work
 # (fixed in Go 1.25.9 / 1.26.2)
@@ -38,3 +38,43 @@ CVE-2026-32283
 # Remove this entry once both ship builds on Go >= 1.26.2.
 # Tracking issue: #96
 CVE-2026-33810
+
+# net: LookupCNAME with the cgo DNS resolver crashes on a very long CNAME
+# (fixed in Go 1.25.10 / 1.26.3)
+# Affects: actionlint v1.7.12 (Go 1.26.1), shfmt v3.13.1 (Go 1.26.1),
+#          yq v4.53.2 (Go 1.26.2)
+# Remove this entry once all three ship builds on Go >= 1.25.10 or 1.26.3.
+# Tracking issue: #96
+CVE-2026-33811
+
+# net/http2: infinite loop when processing HTTP/2 SETTINGS frames
+# (fixed in Go 1.25.10 / 1.26.3)
+# Affects: actionlint v1.7.12 (Go 1.26.1), shfmt v3.13.1 (Go 1.26.1),
+#          yq v4.53.2 (Go 1.26.2)
+# Remove this entry once all three ship builds on Go >= 1.25.10 or 1.26.3.
+# Tracking issue: #96
+CVE-2026-33814
+
+# net/mail: DoS via crafted inputs to ParseAddress / ParseAddressList
+# (fixed in Go 1.25.10 / 1.26.3)
+# Affects: actionlint v1.7.12 (Go 1.26.1), shfmt v3.13.1 (Go 1.26.1),
+#          yq v4.53.2 (Go 1.26.2)
+# Remove this entry once all three ship builds on Go >= 1.25.10 or 1.26.3.
+# Tracking issue: #96
+CVE-2026-39820
+
+# net: panic in Dial and LookupPort when handling NUL byte (Windows)
+# (fixed in Go 1.25.10 / 1.26.3)
+# Affects: actionlint v1.7.12 (Go 1.26.1), shfmt v3.13.1 (Go 1.26.1),
+#          yq v4.53.2 (Go 1.26.2)
+# Remove this entry once all three ship builds on Go >= 1.25.10 or 1.26.3.
+# Tracking issue: #96
+CVE-2026-39836
+
+# net/mail: DoS through consumePhrase on pathological inputs
+# (fixed in Go 1.25.10 / 1.26.3)
+# Affects: actionlint v1.7.12 (Go 1.26.1), shfmt v3.13.1 (Go 1.26.1),
+#          yq v4.53.2 (Go 1.26.2)
+# Remove this entry once all three ship builds on Go >= 1.25.10 or 1.26.3.
+# Tracking issue: #96
+CVE-2026-42499
diff --git a/images/ci-tools/Dockerfile b/images/ci-tools/Dockerfile
index a38f2e2..4ad9ed3 100644
--- a/images/ci-tools/Dockerfile
+++ b/images/ci-tools/Dockerfile
@@ -1,13 +1,19 @@
 # ci-tools — shared linting image for Knight Owl CI pipelines
-FROM node:26-bookworm-slim@sha256:d2ec0a1766c01dad04a185c2d5558b0adace167a7f1758ce80f0017698431d06
+FROM node:26-bookworm-slim@sha256:e89172f5e6154ba212269866bf3fbadbca8eb7901e10c0eccf08f2147bfae505
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # ---------- apt ----------
+# libgnutls30 is listed explicitly to force apt to pull the latest deb12u7+
+# revision, fixing CVE-2026-33845, CVE-2026-42010, CVE-2026-33846,
+# CVE-2026-3833, and CVE-2026-42009. Remove once the base image ships
+# libgnutls30 >= 3.7.9-2+deb12u7. Tracking issue: #135.
+#
 # DL3008: apt packages are intentionally unpinned
 # hadolint ignore=DL3008
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
+    libgnutls30 \
     shellcheck \
     chktex \
     mandoc \
diff --git a/images/ci-tools/versions.lock b/images/ci-tools/versions.lock
index da22cb4..bb6dc5a 100644
--- a/images/ci-tools/versions.lock
+++ b/images/ci-tools/versions.lock
@@ -1,4 +1,4 @@
-NPM_VERSION=11.13.0
+NPM_VERSION=11.15.0
 SHFMT_VERSION=v3.13.1
 SHFMT_SHA256_AMD64=fb096c5d1ac6beabbdbaa2874d025badb03ee07929f0c9ff67563ce8c75398b1
 SHFMT_SHA256_ARM64=32d92acaa5cd8abb29fc49dac123dc412442d5713967819d8af2c29f1b3857c7
@@ -12,8 +12,8 @@ YQ_VERSION=v4.53.2
 YQ_SHA256_AMD64=d56bf5c6819e8e696340c312bd70f849dc1678a7cda9c2ad63eebd906371d56b
 YQ_SHA256_ARM64=03061b2a50c7a498de2bbb92d7cb078ce433011f085a4994117c2726be4106ea
 MARKDOWNLINT_CLI2_VERSION=0.22.1
-BIOME_VERSION=2.4.13
-STYLELINT_VERSION=17.9.1
+BIOME_VERSION=2.4.15
+STYLELINT_VERSION=17.12.0
 LUACHECK_VERSION=1.2.0-1
 BUSTED_VERSION=2.3.0-1
 BATS_VERSION=v1.13.0