diff --git a/requirements.txt b/requirements.txt
index 968d728..295cfa8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,4 +10,9 @@ python-pptx>=1.0.2
 openpyxl>=3.1.5
 beautifulsoup4>=4.14.3
 ebooklib>=0.20
+# Transitive of python-docx, python-pptx, ebooklib, pikepdf.
+# Pin to >=6.1.0 to fix PYSEC-2026-87 (XXE — lxml < 6.1.0 resolves
+# external entities by default, allowing crafted DOCX/PPTX/EPUB/PDF-XMP
+# files to read arbitrary local files).
+lxml>=6.1.0
 pyinstaller>=6.20.0