diff --git a/v2/crates/homecore-plugins/Cargo.toml b/v2/crates/homecore-plugins/Cargo.toml
index 182211ba..3b7325fa 100644
--- a/v2/crates/homecore-plugins/Cargo.toml
+++ b/v2/crates/homecore-plugins/Cargo.toml
@@ -51,7 +51,9 @@ serde_json = "1"
 uuid = { version = "1", features = ["v4"] }
 
 # Optional Wasmtime runtime (P2, default-off — 30 MB dep).
-wasmtime = { version = "25", optional = true }
+# Bumped from 25.0.3 → 42 to remediate RUSTSEC-2026-0095 and RUSTSEC-2026-0096
+# (Cranelift/Winch sandbox-escape CVEs, CVSS 9.0 — iter-11 security sprint HC-03/04).
+wasmtime = { version = "42", optional = true }
 
 # Optional wasm3 interpretation runtime (P3, default-off).
 wasm3 = { version = "0.3", optional = true }