diff --git a/pyproject.toml b/pyproject.toml
index 0ba77ae3b12..fc37dbe89c1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -437,6 +437,7 @@ authorized_licenses = [
     "apache software",
     "apache software, bsd",
     "bsd",
+    "bsd-2-clause",
     "bsd-3-clause",
     "isc license (iscl)",
     "isc license",
diff --git a/requirements/base.in b/requirements/base.in
index 7df8f05b016..deca6a557b0 100644
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -16,8 +16,14 @@
 # specific language governing permissions and limitations
 # under the License.
 #
-urllib3>=2.6.0,<3.0.0
-werkzeug>=3.0.1
+# Security: CVE-2026-21441 - decompression bomb bypass on redirects
+urllib3>=2.6.3,<3.0.0
+# Security: GHSA-87hc-h4r5-73f7 - Windows path traversal fix
+werkzeug>=3.1.5,<4.0.0
+# Security: CVE-2025-68146 - TOCTOU symlink vulnerability
+filelock>=3.20.3,<4.0.0
+# Security: decompression bomb fix (required by aiohttp 3.13.3)
+brotli>=1.2.0,<2.0.0
 numexpr>=2.9.0
 
 # 5.0.0 has a sensitive deprecation used in other libs
diff --git a/requirements/base.txt b/requirements/base.txt
index 9cf9e3c16f5..445c3ae8812 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -36,8 +36,10 @@ blinker==1.9.0
     # via flask
 bottleneck==1.5.0
     # via apache-superset (pyproject.toml)
-brotli==1.1.0
-    # via flask-compress
+brotli==1.2.0
+    # via
+    #   -r requirements/base.in
+    #   flask-compress
 cachelib==0.13.0
     # via
     #   flask-caching
@@ -101,6 +103,8 @@ email-validator==2.2.0
     # via flask-appbuilder
 et-xmlfile==2.0.0
     # via openpyxl
+filelock==3.20.3
+    # via -r requirements/base.in
 flask==2.3.3
     # via
     #   apache-superset (pyproject.toml)
@@ -289,7 +293,7 @@ prompt-toolkit==3.0.51
     # via click-repl
 pyarrow==16.1.0
     # via apache-superset (pyproject.toml)
-pyasn1==0.6.1
+pyasn1==0.6.2
     # via
     #   pyasn1-modules
     #   rsa
@@ -436,7 +440,7 @@ tzdata==2025.2
     #   pandas
 url-normalize==2.2.1
     # via requests-cache
-urllib3==2.6.0
+urllib3==2.6.3
     # via
     #   -r requirements/base.in
     #   requests
@@ -453,7 +457,7 @@ wcwidth==0.2.13
     # via prompt-toolkit
 websocket-client==1.8.0
     # via selenium
-werkzeug==3.1.3
+werkzeug==3.1.5
     # via
     #   -r requirements/base.in
     #   flask
diff --git a/requirements/development.txt b/requirements/development.txt
index 300c2df5560..c91b6a3646e 100644
--- a/requirements/development.txt
+++ b/requirements/development.txt
@@ -80,7 +80,7 @@ bottleneck==1.5.0
     # via
     #   -c requirements/base-constraint.txt
     #   apache-superset
-brotli==1.1.0
+brotli==1.2.0
     # via
     #   -c requirements/base-constraint.txt
     #   flask-compress
@@ -235,8 +235,10 @@ fakeredis==2.32.1
     # via pydocket
 fastmcp==2.14.3
     # via apache-superset
-filelock==3.12.2
-    # via virtualenv
+filelock==3.20.3
+    # via
+    #   -c requirements/base-constraint.txt
+    #   virtualenv
 flask==2.3.3
     # via
     #   -c requirements/base-constraint.txt
@@ -714,7 +716,7 @@ pyarrow==16.1.0
     #   apache-superset
     #   db-dtypes
     #   pandas-gbq
-pyasn1==0.6.1
+pyasn1==0.6.2
     # via
     #   -c requirements/base-constraint.txt
     #   pyasn1-modules
@@ -1061,7 +1063,7 @@ url-normalize==2.2.1
     # via
     #   -c requirements/base-constraint.txt
     #   requests-cache
-urllib3==2.6.0
+urllib3==2.6.3
     # via
     #   -c requirements/base-constraint.txt
     #   docker
@@ -1095,7 +1097,7 @@ websocket-client==1.8.0
     #   selenium
 websockets==15.0.1
     # via fastmcp
-werkzeug==3.1.3
+werkzeug==3.1.5
     # via
     #   -c requirements/base-constraint.txt
     #   flask