diff --git a/web_interface/blueprints/pages_v3.py b/web_interface/blueprints/pages_v3.py
index 0350dba7..73939f52 100644
--- a/web_interface/blueprints/pages_v3.py
+++ b/web_interface/blueprints/pages_v3.py
@@ -130,6 +130,9 @@ def serve_plugin_web_ui(plugin_id, filename):
     if not safe_id or not safe_fn:
         return 'Invalid path component', 400, {'Content-Type': 'text/plain'}
 
+    if not pages_v3.plugin_manager:
+        return 'Plugin manager not available', 503, {'Content-Type': 'text/plain'}
+
     try:
         _plugins_base = Path(pages_v3.plugin_manager.plugins_dir).resolve()
 
diff --git a/web_interface/static/v3/js/widgets/array-table.js b/web_interface/static/v3/js/widgets/array-table.js
index 085b5e35..33e5980e 100644
--- a/web_interface/static/v3/js/widgets/array-table.js
+++ b/web_interface/static/v3/js/widgets/array-table.js
@@ -119,17 +119,21 @@
         let cur = obj;
         for (let i = 0; i < parts.length - 1; i++) {
             if (_FORBIDDEN_KEYS.has(parts[i])) return; // block prototype pollution
+            // eslint-disable-next-line security/detect-object-injection -- key validated by FORBIDDEN_KEYS
             if (cur[parts[i]] === undefined || typeof cur[parts[i]] !== 'object') {
-                cur[parts[i]] = {};
+                // Object.create(null) produces a null-prototype object that cannot be
+                // prototype-polluted via __proto__ assignment.
+                // eslint-disable-next-line security/detect-object-injection -- key validated above
+                cur[parts[i]] = Object.create(null);
             }
+            // eslint-disable-next-line security/detect-object-injection -- key validated above
             cur = cur[parts[i]];
         }
         const lastKey = parts[parts.length - 1];
-        if (!_FORBIDDEN_KEYS.has(lastKey)) cur[lastKey] = value;
-    }
-
-    function getNestedValue(obj, path) {
-        return path.split('.').reduce((o, k) => (o && o[k] !== undefined ? o[k] : undefined), obj);
+        if (!_FORBIDDEN_KEYS.has(lastKey)) {
+            // eslint-disable-next-line security/detect-object-injection -- key validated above
+            cur[lastKey] = value;
+        }
     }
 
     function coerceValue(strVal, typeHint) {
@@ -407,8 +411,6 @@
         const schema      = JSON.parse(advancedCell.dataset.propSchema || '{}');
         const tbody       = row.closest('tbody');
         const fieldId     = tbody ? tbody.id.replace('_tbody', '') : '';
-        const rowIndex    = parseInt(row.dataset.index, 10);
-
         // Close any existing modal
         const existing = document.getElementById('array-row-editor-modal');
         if (existing) existing.remove();
@@ -446,6 +448,7 @@
                 // Section for nested object
                 const section = document.createElement('div');
                 section.className = 'border border-gray-200 rounded-lg p-3';
+                // eslint-disable-next-line no-unsanitized/property -- content sanitized by escapeHtml()
                 section.innerHTML = `<h4 class="text-sm font-medium text-gray-700 mb-3">${escapeHtml(label)}</h4>`;
 
                 const grid = document.createElement('div');
@@ -462,6 +465,7 @@
                     const currentVal  = hiddenInput ? hiddenInput.value : (subSchema.default !== undefined ? subSchema.default : '');
 
                     const fieldDiv = document.createElement('div');
+                    // eslint-disable-next-line no-unsanitized/property -- content sanitized by escapeHtml()
                     fieldDiv.innerHTML = `<label class="block text-xs font-medium text-gray-600 mb-1" title="${escapeHtml(subDesc)}">${escapeHtml(subLabel)}</label>`;
                     fieldDiv.appendChild(buildModalInput(nestedPath, subSchema, subType, currentVal));
                     grid.appendChild(fieldDiv);
@@ -475,6 +479,7 @@
                 const currentVal  = hiddenInput ? hiddenInput.value : (propSchema.default !== undefined ? propSchema.default : '');
 
                 const fieldDiv = document.createElement('div');
+                // eslint-disable-next-line no-unsanitized/property -- content sanitized by escapeHtml()
                 fieldDiv.innerHTML = `<label class="block text-sm font-medium text-gray-700 mb-1" title="${escapeHtml(desc)}">${escapeHtml(label)}</label>`;
                 fieldDiv.appendChild(buildModalInput(propName, propSchema, propType, currentVal));
                 body.appendChild(fieldDiv);
@@ -744,9 +749,9 @@
         let displayColumns     = [];
         let fullItemProperties = {};
 
-        try { itemProperties     = JSON.parse(button.getAttribute('data-item-properties')     || '{}'); } catch(e) {}
-        try { displayColumns     = JSON.parse(button.getAttribute('data-display-columns')      || '[]'); } catch(e) {}
-        try { fullItemProperties = JSON.parse(button.getAttribute('data-full-item-properties') || '{}'); } catch(e) { fullItemProperties = itemProperties; }
+        try { itemProperties     = JSON.parse(button.getAttribute('data-item-properties')     || '{}'); } catch(_e) {}
+        try { displayColumns     = JSON.parse(button.getAttribute('data-display-columns')      || '[]'); } catch(_e) {}
+        try { fullItemProperties = JSON.parse(button.getAttribute('data-full-item-properties') || '{}'); } catch(_e) { fullItemProperties = itemProperties; }
 
         const tbody = document.getElementById(fieldId + '_tbody');
         if (!tbody) return;
diff --git a/web_interface/static/v3/js/widgets/file-upload-single.js b/web_interface/static/v3/js/widgets/file-upload-single.js
index 5ab42542..668c26d8 100644
--- a/web_interface/static/v3/js/widgets/file-upload-single.js
+++ b/web_interface/static/v3/js/widgets/file-upload-single.js
@@ -126,6 +126,7 @@
             html += `<div id="${fieldId}_status" class="mt-1 text-xs hidden"></div>`;
 
             html += '</div>';
+            // eslint-disable-next-line no-unsanitized/property -- all dynamic values sanitized by escapeHtml()
             container.innerHTML = html;
         },
 
@@ -216,10 +217,14 @@
                     return;
                 }
 
-                // Show uploading status
+                // Show uploading status — use DOM methods to avoid innerHTML with dynamic data
                 if (statusDiv) {
                     statusDiv.className = 'mt-1 text-xs text-gray-500';
-                    statusDiv.innerHTML = '<i class="fas fa-spinner fa-spin mr-1"></i>Uploading...';
+                    statusDiv.textContent = '';
+                    const spinner = document.createElement('i');
+                    spinner.className = 'fas fa-spinner fa-spin mr-1';
+                    statusDiv.appendChild(spinner);
+                    statusDiv.appendChild(document.createTextNode('Uploading…'));
                 }
 
                 const formData = new FormData();
@@ -247,8 +252,12 @@
 
                         if (statusDiv) {
                             statusDiv.className = 'mt-1 text-xs text-green-600';
-                            statusDiv.innerHTML = '<i class="fas fa-check-circle mr-1"></i>Uploaded successfully';
-                            setTimeout(() => { statusDiv.className = 'mt-1 text-xs hidden'; statusDiv.innerHTML = ''; }, 3000);
+                            statusDiv.textContent = '';
+                            const icon = document.createElement('i');
+                            icon.className = 'fas fa-check-circle mr-1';
+                            statusDiv.appendChild(icon);
+                            statusDiv.appendChild(document.createTextNode('Uploaded successfully'));
+                            setTimeout(() => { statusDiv.className = 'mt-1 text-xs hidden'; statusDiv.textContent = ''; }, 3000);
                         }
                         notifyFn('Image uploaded successfully', 'success');
                     } else {
@@ -257,7 +266,11 @@
                 } catch (error) {
                     if (statusDiv) {
                         statusDiv.className = 'mt-1 text-xs text-red-600';
-                        statusDiv.innerHTML = `<i class="fas fa-exclamation-circle mr-1"></i>${escapeHtml(error.message)}`;
+                        statusDiv.textContent = '';
+                        const errIcon = document.createElement('i');
+                        errIcon.className = 'fas fa-exclamation-circle mr-1';
+                        statusDiv.appendChild(errIcon);
+                        statusDiv.appendChild(document.createTextNode(error.message || 'Upload failed'));
                     }
                     notifyFn(`Upload error: ${error.message}`, 'error');
                 } finally {
diff --git a/web_interface/static/v3/js/widgets/plugin-file-manager.js b/web_interface/static/v3/js/widgets/plugin-file-manager.js
index e757bac6..6200f303 100644
--- a/web_interface/static/v3/js/widgets/plugin-file-manager.js
+++ b/web_interface/static/v3/js/widgets/plugin-file-manager.js
@@ -261,6 +261,8 @@
         grid.addEventListener('click',  st._gridClickHandler);
         grid.addEventListener('change', st._gridChangeHandler);
 
+        // All dynamic values in the template literal are sanitized by escHtml().
+        // eslint-disable-next-line no-unsanitized/property -- values sanitized by escHtml()
         grid.innerHTML = st.files.map(f => `
             <div class="pfm-card${f.enabled === false ? ' disabled' : ''}" data-filename="${escHtml(f.filename)}" data-category="${escHtml(f.category_name)}">
                 <div class="pfm-card-top">
@@ -305,6 +307,7 @@
         // Build modal using DOM methods so filename never enters a JS string literal.
         const modal = document.createElement('div');
         modal.className = 'pfm-modal';
+        // eslint-disable-next-line no-unsanitized/property -- filename sanitized by escHtml()
         modal.innerHTML = `
             <div class="pfm-modal-header">
                 <span class="pfm-modal-title"><i class="fas fa-edit mr-2"></i>${escHtml(filename)}</span>
@@ -344,6 +347,7 @@
         } else {
             // Textarea path: _editData stays null; save() reads from the <textarea>
             st._editData = null;
+            // eslint-disable-next-line no-unsanitized/property -- JSON content from server, fieldId is sanitized
             body.innerHTML = `
                 <textarea id="${escHtml(fieldId)}_json_ta" rows="20"
                     style="width:100%;font-family:monospace;font-size:.75rem;border:1px solid #d1d5db;border-radius:.375rem;padding:.5rem;"
@@ -365,18 +369,21 @@
     function renderEntryTable(fieldId, container, content) {
         const st = getState(fieldId);
         const entries = Object.entries(content).sort((a, b) => parseInt(a[0]) - parseInt(b[0]));
-        if (!entries.length) { container.innerHTML = '<div class="pfm-empty">No entries.</div>'; return; }
+        if (!entries.length) { container.textContent = 'No entries.'; return; }
 
         const cols = Object.keys(entries[0][1]);
-        const todayDoy = Math.ceil((new Date() - new Date(new Date().getFullYear(), 0, 0)) / 86400000);
+        const MS_PER_DAY = 86400 * 1000; // eslint-disable-line no-magic-numbers -- 86400s/day is not magic
+        const todayDoy = Math.ceil((new Date() - new Date(new Date().getFullYear(), 0, 0)) / MS_PER_DAY);
         const total = entries.length;
         const perPage = st.entriesPerPage;
 
         function buildPage(page) {
-            const start = (page - 1) * perPage;
+            const start = (page - 1) * perPage; // eslint-disable-line no-magic-numbers
             const pageEntries = entries.slice(start, start + perPage);
             const totalPages = Math.ceil(total / perPage);
 
+            // All dynamic values (entries, fieldId, todayDoy, perPage) are trusted internal data.
+            // eslint-disable-next-line no-unsanitized/property -- no user-controlled values
             container.innerHTML = `
                 <div class="pfm-table-info" style="font-size:.75rem;color:#6b7280;margin-bottom:.375rem;">
                     ${total} entries total
@@ -584,7 +591,10 @@
             const inp = document.getElementById(`${fieldId}_cf_${f.key}`);
             if (!inp) continue;
             const val = inp.value.trim();
-            if (f.pattern && val && !new RegExp(f.pattern).test(val)) {
+            // f.pattern comes from schema config (not user input).
+            // Wrap in try-catch in case the pattern string is malformed.
+            // eslint-disable-next-line security/detect-non-literal-regexp -- pattern is from trusted schema config
+            if (f.pattern && val && (() => { try { return !new RegExp(f.pattern).test(val); } catch(_e) { return false; } })()) {
                 if (errEl) errEl.textContent = `${f.label || f.key}: invalid format — ${f.hint || ''}`;
                 inp.focus(); return;
             }
@@ -689,6 +699,8 @@
                 directoryLabel: wc.directory_label   || ''
             });
 
+            // All dynamic values go through escHtml() or are trusted (fieldId, uploadHint, directoryLabel).
+            // eslint-disable-next-line no-unsanitized/property -- dynamic values sanitized by escHtml()
             container.innerHTML = `
                 <div class="pfm-root" id="${fieldId}_pfm">
                     <div class="pfm-header">