diff --git a/Dockerfile b/Dockerfile
index b6a824f..15fa847 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,7 +19,9 @@ RUN npm run build
 
 # --- Production stage ---
 FROM nginx:alpine AS production
-RUN apk add --no-cache gettext
+# Pull current security fixes for OS packages inherited from the base image
+# (e.g. nghttp2-libs CVE-2026-27135), then install envsubst for runtime config.
+RUN apk upgrade --no-cache && apk add --no-cache gettext
 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 COPY docker/config.js.template /etc/nginx/templates/config.js.template