diff --git a/.cargo/audit.toml b/.cargo/audit.toml
index bcf31fb..6c5541a 100644
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@@ -12,6 +12,10 @@ ignore = [
     # JWT signing in `hyperapi-salesforce`, where timing sidechannels are not
     # observable to a remote attacker. Threat model does not apply.
     "RUSTSEC-2023-0071",
+    # `ttf-parser` unmaintained (RUSTSEC-2026-0192, informational). Transitive via
+    # `plotters` chart rendering in hyperdb-mcp; no direct use, no patch exists, no
+    # runtime risk. Tracking plotters-rs/plotters#736. Mirror of deny.toml.
+    "RUSTSEC-2026-0192",
 ]
 
 # Forward-looking note (no waiver yet — RustSec hasn't issued an ID):
diff --git a/deny.toml b/deny.toml
index 3c2e281..aeeab93 100644
--- a/deny.toml
+++ b/deny.toml
@@ -63,6 +63,14 @@ ignore = [
     # model does not apply. Re-evaluate when `rsa` publishes the constant-time
     # implementation.
     { id = "RUSTSEC-2023-0071", reason = "rsa used only for outbound JWT signing where Marvin Attack threat model does not apply" },
+    # `ttf-parser` is unmaintained (RUSTSEC-2026-0192, informational — author has
+    # stepped away; no patched version exists, the advisory flags all versions).
+    # Pulled transitively via `plotters` (chart rendering in hyperdb-mcp); we never
+    # call it directly. Not a vulnerability — no runtime risk. Plotters has no
+    # maintained-font backend yet (both `ttf` and `ab_glyph` paths end at
+    # ttf-parser); tracking upstream at plotters-rs/plotters#736. Re-evaluate when
+    # plotters migrates its font stack (e.g. to skrifa).
+    { id = "RUSTSEC-2026-0192", reason = "ttf-parser unmaintained, no patch exists; transitive via plotters chart rendering, no direct use, no runtime risk" },
 ]
 
 # Forward-looking note (no waiver yet — RustSec hasn't issued an ID):