diff --git a/cc-ci-plan/upstream/custom-html.md b/cc-ci-plan/upstream/custom-html.md
index 6bd0e6f..be8c3f6 100644
--- a/cc-ci-plan/upstream/custom-html.md
+++ b/cc-ci-plan/upstream/custom-html.md
@@ -3,7 +3,7 @@
 | service | image | source repo | releases / changelog |
 |---------|-------|-------------|----------------------|
 | app | nginx | https://github.com/nginx/nginx | https://nginx.org/en/CHANGES |
-| git | alpine/git | https://github.com/alpine-git/alpine-git | https://hub.docker.com/r/alpine/git/tags |
+| git | alpine/git | https://github.com/alpine-docker/git | https://hub.docker.com/r/alpine/git/tags |
 
 ## Standing notes
 - nginx even-numbered minor versions (1.28.x, 1.30.x) are mainline; odd (1.27.x, 1.29.x) are stable. The recipe tracks mainline.
@@ -11,3 +11,5 @@
 - compose.sftp.yml and compose.sso.yml are other optional overlays; linuxserver/openssh-server uses `latest` tag and is not version-pinned.
 - Breaking change in nginx 1.31.0: HTTP/2 and HTTP/3 requests with Connection/Proxy-Connection/Keep-Alive/Transfer-Encoding/Upgrade/TE headers are now rejected.
 - Breaking change in nginx 1.29.7: keepalive in upstream block is enabled by default; proxy_http_version changed to 1.1; Connection proxy header no longer sent by default.
+- nginx 1.31.2 (17 Jun 2026) is a security patch release: CVE-2026-42530 (HTTP/3 QUIC use-after-free), CVE-2026-42055 (heap buffer overflow with ignore_invalid_headers off + large_client_header_buffers + HTTP/2/gRPC backend), CVE-2026-48142 (charset_map UTF-8 heap overread). No breaking changes for static-file-serving use case.
+- alpine/git is a thin Docker wrapper around git (no formal release notes; version tracks bundled git). Source repo: alpine-docker/git (NOT alpine-git/alpine-git).