diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3214a556..3a1f664f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -177,7 +177,7 @@ jobs:
           yarn install
           sudo apt-get update
           sudo apt-get install -y libvips
-          wget -O pdfium-linux.tgz "https://github.com/docusealco/pdfium-binaries/releases/latest/download/pdfium-linux-$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/').tgz"
+          wget -O pdfium-linux.tgz "https://github.com/bblanchon/pdfium-binaries/releases/latest/download/pdfium-linux-$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/').tgz"
           sudo tar -xzf pdfium-linux.tgz --strip-components=1 -C /usr/lib lib/libpdfium.so
           rm -f pdfium-linux.tgz
       - name: Run
diff --git a/app/models/user.rb b/app/models/user.rb
index 8b64a23d..a7826087 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -56,7 +56,7 @@ class User < ApplicationRecord
   EMAIL_REGEXP = /[^@;,<>\s]+@[^@;,<>\s]+/
 
   FULL_EMAIL_REGEXP =
-    /\A[a-z0-9_]+(?:[.'+\-][a-z0-9_]+)*@(?:[a-z0-9]+[.\-])*[a-z0-9]+\.[a-z]{2,}\z/i
+    /\A[a-z0-9_]+(?:[.'+-][a-z0-9_]+)*@(?:[a-z0-9]+[.-])*[a-z0-9]+\.[a-z]{2,}\z/i
 
   has_one_attached :signature
   has_one_attached :initials
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
index 2b2f20d5..29372ac6 100644
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@@ -23,6 +23,10 @@
     {
       "fingerprint": "4ce817efd946b7806f6d3da9a6923aa282e3ff992810353ed35d8f83a82cb7a0",
       "note": "HighlightCode returns escaped HTML for syntax-highlighted MCP token preview"
+    },
+    {
+      "fingerprint": "3f83dd553eb9ee8027ee629960e3e42d18b7e4143131d266899e916b7a6472c1",
+      "note": "filter_path is validated with start_with?('/') — prevents javascript: and absolute-URL payloads; Brakeman tracks taint through the conditional assignment"
     }
   ]
 }