diff --git a/requirements.txt b/requirements.txt
index f7b72b6f0c3..bf2bf2c47a0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,7 @@
 # LITELLM PROXY DEPENDENCIES #
 # Security: explicit pins for transitive deps (CVE fixes)
 urllib3>=2.6.0  # CVE-2025-66471, CVE-2025-66418, CVE-2026-21441
-tornado>=6.5.3  # CVE-2025-67725, CVE-2025-67726, CVE-2025-67724
+tornado>=6.5.5  # CVE-2025-67725, CVE-2025-67726, CVE-2025-67724, CVE-2026-31958, GHSA-78cv-mqj4-43f7
 filelock>=3.20.1  # CVE-2025-68146
 h11>=0.16.0    # CVE-2025-43859, GHSA-vqfr-h8mv-ghfj — HTTP request smuggling
 wheel>=0.46.2  # CVE-2026-24049 — path traversal
diff --git a/ui/litellm-dashboard/package.json b/ui/litellm-dashboard/package.json
index 5cbe1ead886..2a9bb3e5e20 100644
--- a/ui/litellm-dashboard/package.json
+++ b/ui/litellm-dashboard/package.json
@@ -88,7 +88,7 @@
     "mermaid": ">=11.10.0",
     "js-yaml": ">=4.1.1",
     "glob": ">=11.1.0",
-    "tar": ">=7.5.10",
+    "tar": ">=7.5.11",
     "minimatch": ">=10.2.4",
     "@isaacs/brace-expansion": ">=5.0.1",
     "node-forge": ">=1.3.2",