diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index 3ce157aec6..b9563979b5 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -95,7 +95,7 @@ jobs:
         run: |
           pip install pip-audit
           cd ${GITHUB_WORKSPACE}
-          pip-audit --desc on --ignore-vuln PYSEC-2023-312 --ignore-vuln CVE-2025-68616 .
+          pip-audit --desc on --ignore-vuln PYSEC-2023-312 .
 
   precommit:
     name: 'Pre-Commit'
diff --git a/pyproject.toml b/pyproject.toml
index fae18e6cec..e076edf958 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -26,13 +26,15 @@ dependencies = [
     "PyQRCode~=1.2.1",
     "PyYAML~=6.0.3",
     "RestrictedPython~=8.1",
-    "WeasyPrint==66.0",
+    "WeasyPrint==68.0",
+    # we don't use tinycss2 directly, but pinned to ensure compatibility with WeasyPrint and bleach
+    "tinycss2~=1.5.1,<1.6",
     "pydyf==0.12.1",
     "Werkzeug==3.1.5",
     "Whoosh~=2.7.4",
     "beautifulsoup4~=4.13.5",
     "bleach-allowlist~=1.0.3",
-    "bleach[css]~=6.3.0",
+    "bleach~=6.3.0",
     "chardet~=5.2.0",
     "croniter~=6.0.0",
     "cryptography~=46.0.3",