diff --git a/Dockerfile b/Dockerfile
index 4265d10..5e1526b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,20 +2,23 @@
 # ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and HEVC encode dispatch
 # openssh-client: remote encode dispatch to SSH transcode workers
 #
-# HandBrake is NOT included in this image — ffmpeg handles encoding by default.
-# If you need HandBrake (preset system, forced-subtitle burn-in), use the
-# handbrake variant: pyr0ball/discarr:handbrake
-# Or install HandBrake natively via: sudo bash install.sh
+# Base: node:22-bookworm-slim (Debian bookworm)
+# Debian's security team backports ffmpeg CVE patches to 5.1.x; Alpine's
+# community ffmpeg package has had several high CVEs open for 12+ months.
+#
+# HandBrake is NOT included — ffmpeg handles encoding by default.
+# For HandBrake presets or forced-subtitle burn-in, use:
+#   pyr0ball/discarr:handbrake  (or build from Dockerfile.handbrake)
+#   Or install natively: sudo bash install.sh
 
-# Node 22 is the current LTS (Node 20 reached EOL 2026-04-30)
-FROM node:22-alpine
+FROM node:22-bookworm-slim
 
-# Upgrade all base packages first to pick up Alpine security patches,
-# then add runtime dependencies in the same layer.
-RUN apk upgrade --no-cache && \
-    apk add --no-cache \
+# Install ffmpeg and openssh-client, then clean apt lists
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
         ffmpeg \
-        openssh-client
+        openssh-client && \
+    rm -rf /var/lib/apt/lists/*
 
 # Update npm to patch bundled tar/minimatch CVEs
 RUN npm install -g npm@latest && npm cache clean --force
diff --git a/Dockerfile.handbrake b/Dockerfile.handbrake
index 01e2806..71d84fa 100644
--- a/Dockerfile.handbrake
+++ b/Dockerfile.handbrake
@@ -1,18 +1,21 @@
-# Discarr — HandBrake variant
+# Discarr — HandBrake variant (Debian bookworm base)
 # Includes HandBrake for preset-based encoding and forced-subtitle burn-in.
-# NOTE: Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg 7.x,
-# which increases the CVE surface area compared to the default image.
+#
+# NOTE: HandBrake on Debian pulls in libavcodec/libavfilter from ffmpeg 5.1.x.
+# The CVE profile is better than Alpine (Debian backports patches) but the
+# HandBrake binary and its ffmpeg libs add surface area vs the default image.
 # Use this variant only if you specifically need HandBrake features.
 #
 # Build: docker build -f Dockerfile.handbrake -t pyr0ball/discarr:handbrake .
 
-FROM node:22-alpine
+FROM node:22-bookworm-slim
 
-RUN apk upgrade --no-cache && \
-    apk add --no-cache \
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
         ffmpeg \
-        handbrake \
-        openssh-client
+        handbrake-cli \
+        openssh-client && \
+    rm -rf /var/lib/apt/lists/*
 
 RUN npm install -g npm@latest && npm cache clean --force