diff --git a/keycloak/dummy-suomifi/gradle/wrapper/gradle-wrapper.jar b/keycloak/dummy-suomifi/gradle/wrapper/gradle-wrapper.jar
index e6441136f3d..a4b76b9530d 100644
Binary files a/keycloak/dummy-suomifi/gradle/wrapper/gradle-wrapper.jar and b/keycloak/dummy-suomifi/gradle/wrapper/gradle-wrapper.jar differ
diff --git a/keycloak/dummy-suomifi/gradle/wrapper/gradle-wrapper.properties b/keycloak/dummy-suomifi/gradle/wrapper/gradle-wrapper.properties
index a4413138c96..cea7a793a84 100644
--- a/keycloak/dummy-suomifi/gradle/wrapper/gradle-wrapper.properties
+++ b/keycloak/dummy-suomifi/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/keycloak/dummy-suomifi/gradlew b/keycloak/dummy-suomifi/gradlew
index b740cf13397..f3b75f3b0d4 100755
--- a/keycloak/dummy-suomifi/gradlew
+++ b/keycloak/dummy-suomifi/gradlew
@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# SPDX-License-Identifier: Apache-2.0
+#
 
 ##############################################################################
 #
@@ -84,7 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
diff --git a/keycloak/dummy-suomifi/gradlew.bat b/keycloak/dummy-suomifi/gradlew.bat
index 25da30dbdee..9d21a21834d 100644
--- a/keycloak/dummy-suomifi/gradlew.bat
+++ b/keycloak/dummy-suomifi/gradlew.bat
@@ -13,6 +13,8 @@
 @rem See the License for the specific language governing permissions and
 @rem limitations under the License.
 @rem
+@rem SPDX-License-Identifier: Apache-2.0
+@rem
 
 @if "%DEBUG%"=="" @echo off
 @rem ##########################################################################
diff --git a/service/build.gradle.kts b/service/build.gradle.kts
index 2a8e36ff8b9..988d9897b20 100644
--- a/service/build.gradle.kts
+++ b/service/build.gradle.kts
@@ -81,8 +81,6 @@ dependencies {
     implementation("org.springframework.boot:spring-boot-starter-web")
     implementation("org.springframework.boot:spring-boot-starter-web-services")
     implementation("org.springframework.ws:spring-ws-security") {
-        exclude("org.bouncycastle", "bcpkix-jdk15on")
-        exclude("org.bouncycastle", "bcprov-jdk15on")
         exclude("org.opensaml")
     }
     implementation("org.springframework.ws:spring-ws-support") {
@@ -97,9 +95,7 @@ dependencies {
     implementation("org.postgresql:postgresql")
 
     // JDBI
-    implementation("org.jdbi:jdbi3-core") {
-        exclude("org.bouncycastle", "bcprov-jdk15on")
-    }
+    implementation("org.jdbi:jdbi3-core")
     implementation("org.jdbi:jdbi3-jackson2")
     implementation("org.jdbi:jdbi3-kotlin")
     implementation("org.jdbi:jdbi3-postgres")
@@ -168,8 +164,6 @@ dependencies {
     integrationTestImplementation("org.apache.cxf:cxf-rt-transports-http")
     integrationTestImplementation("org.apache.cxf:cxf-rt-transports-http-jetty")
     integrationTestImplementation("org.apache.cxf:cxf-rt-ws-security") {
-        exclude("org.bouncycastle", "bcpkix-jdk15on")
-        exclude("org.bouncycastle", "bcprov-jdk15on")
         exclude("org.opensaml")
     }
 
diff --git a/service/evaka-bom/build.gradle.kts b/service/evaka-bom/build.gradle.kts
index c241a64f50f..447c0a209d3 100644
--- a/service/evaka-bom/build.gradle.kts
+++ b/service/evaka-bom/build.gradle.kts
@@ -14,18 +14,13 @@ dependencies {
         api("ch.qos.logback:logback-classic:1.5.15")
         api("ch.qos.logback:logback-core:1.5.15")
 
-        // These constraints are needed for CVE fixes
-        api("org.apache.tomcat.embed:tomcat-embed-core:11.0.2")
-        api("org.apache.tomcat.embed:tomcat-embed-el:11.0.2")
-        api("org.apache.tomcat.embed:tomcat-embed-websocket:11.0.2")
-
         api("com.auth0:java-jwt:4.4.0")
         api("com.github.kagkarlsson:db-scheduler:15.1.1")
         api(libs.fuel)
         api(libs.fuel.jackson)
         api("com.google.guava:guava:33.4.0-jre")
         api("com.networknt:json-schema-validator:1.5.0")
-        api("com.zaxxer:HikariCP:6.2.0")
+        api("com.zaxxer:HikariCP:6.2.1")
         api("io.github.microutils:kotlin-logging-jvm:3.0.5")
         api("io.kotest:kotest-property:5.9.1")
         api("io.mockk:mockk:1.13.13")
@@ -38,7 +33,7 @@ dependencies {
         api("org.apache.commons:commons-text:1.13.0")
         api("org.apache.commons:commons-imaging:1.0-alpha3")
         api("org.apache.tika:tika-core:3.0.0")
-        api("org.apache.wss4j:wss4j-ws-security-dom:3.0.1")
+        api("org.apache.wss4j:wss4j-ws-security-dom:3.0.4")
         api(libs.bouncycastle.bcpkix)
         api(libs.bouncycastle.bcprov)
         api(libs.flyway.core)
@@ -58,16 +53,12 @@ dependencies {
         api(libs.ktlint.cli.ruleset.core)
         api(libs.ktlint.rule.engine.core)
         api(libs.ktlint.test)
-        api("org.apache.santuario:xmlsec:4.0.0")
     }
 
     api(platform("com.fasterxml.jackson:jackson-bom:2.18.2"))
     api(platform("com.squareup.okhttp3:okhttp-bom:4.12.0"))
     api(platform("io.opentelemetry:opentelemetry-bom:1.45.0"))
-    api(platform("org.apache.cxf:cxf-bom:4.0.3"))
-    // Spring Boot specifies a version constraint for Jetty, but we have other libraries relying
-    // on an older version -> we enforce a specific Jetty BOM version and ignore Spring Boot
-    api(enforcedPlatform("org.eclipse.jetty:jetty-bom:11.0.20"))
+    api(platform("org.apache.cxf:cxf-bom:4.1.0"))
     api(platform("org.jdbi:jdbi3-bom:3.47.0"))
     api(platform(libs.kotlin.bom))
     api(platform("org.junit:junit-bom:5.11.4"))
diff --git a/service/gradle/wrapper/gradle-wrapper.jar b/service/gradle/wrapper/gradle-wrapper.jar
index e6441136f3d..a4b76b9530d 100644
Binary files a/service/gradle/wrapper/gradle-wrapper.jar and b/service/gradle/wrapper/gradle-wrapper.jar differ
diff --git a/service/gradle/wrapper/gradle-wrapper.properties b/service/gradle/wrapper/gradle-wrapper.properties
index b82aa23a4f0..cea7a793a84 100644
--- a/service/gradle/wrapper/gradle-wrapper.properties
+++ b/service/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/service/gradlew b/service/gradlew
index 1aa94a42690..f3b75f3b0d4 100755
--- a/service/gradlew
+++ b/service/gradlew
@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# SPDX-License-Identifier: Apache-2.0
+#
 
 ##############################################################################
 #
@@ -55,7 +57,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -84,7 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
diff --git a/service/gradlew.bat b/service/gradlew.bat
index 25da30dbdee..9d21a21834d 100644
--- a/service/gradlew.bat
+++ b/service/gradlew.bat
@@ -13,6 +13,8 @@
 @rem See the License for the specific language governing permissions and
 @rem limitations under the License.
 @rem
+@rem SPDX-License-Identifier: Apache-2.0
+@rem
 
 @if "%DEBUG%"=="" @echo off
 @rem ##########################################################################
diff --git a/service/owasp-suppressions.xml b/service/owasp-suppressions.xml
index 72b3e34d7f1..f27bbf68b67 100644
--- a/service/owasp-suppressions.xml
+++ b/service/owasp-suppressions.xml
@@ -14,18 +14,4 @@ SPDX-License-Identifier: LGPL-2.1-or-later
        <packageUrl regex="true">^pkg:maven/com\.pinterest\.ktlint/ktlint\-cli\-reporter\-checkstyle@.*$</packageUrl>
        <cpe>cpe:/a:checkstyle:checkstyle</cpe>
     </suppress>
-    <suppress>
-       <notes><![CDATA[
-       Misidentification. Tomact 10.* is not the same as Tomcat 3.0
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jaspic-api@10\..*$</packageUrl>
-       <cpe>cpe:/a:apache:tomcat:3.0</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-       Misidentification. Tomact 10.* is not the same as Tomcat 3.1
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat-jsp-api@10\..*$</packageUrl>
-        <cpe>cpe:/a:apache:tomcat:3.1</cpe>
-    </suppress>
 </suppressions>