diff --git a/CHANGELOG.md b/CHANGELOG.md
index 593e735db..a5d883536 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added per-step token cost tracking and estimated tool call token usage to Ask Sourcebot chat history. [#1353](https://github.com/sourcebot-dev/sourcebot/pull/1353)
 
+### Fixed
+- Upgraded `golang.org/x/net` to `^0.55.0` in the zoekt build to address CVE-2026-42502. [#1364](https://github.com/sourcebot-dev/sourcebot/pull/1364)
+
 ## [5.0.4] - 2026-06-18
 
 ### Changed
diff --git a/Dockerfile b/Dockerfile
index 6c6b2439f..b2c8c53eb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,6 +26,11 @@ WORKDIR /zoekt
 COPY vendor/zoekt/go.mod vendor/zoekt/go.sum ./
 RUN go mod download
 COPY vendor/zoekt ./
+# Force-upgrade golang.org/x/net to a patched version to address CVE-2026-42502
+# (HTML parsed and re-rendered via Render can produce an unexpected tree, enabling XSS).
+# This pulls the fixed version into the built zoekt binaries; remove once vendor/zoekt
+# pins >= v0.55.0.
+RUN go get golang.org/x/net@v0.55.0
 RUN CGO_ENABLED=0 GOOS=linux go build -o /cmd/ ./cmd/...
 # -------------------------