diff --git a/content/chainguard/libraries/cve-remediation.md b/content/chainguard/libraries/cve-remediation.md
index 85fdfa38de..fde4c9ff01 100644
--- a/content/chainguard/libraries/cve-remediation.md
+++ b/content/chainguard/libraries/cve-remediation.md
@@ -14,22 +14,19 @@ weight: 006
 toc: true
 ---
 
-CVE remediation is a feature in Chainguard Libraries that provides security
-protection against critical and high CVEs, while medium or low CVEs are not
-considered. Applications often rely on older versions of libraries, but upstream
-maintainers may not apply and release patches for those versions. CVE
-remediation addresses this gap by applying vulnerability fixes from newer
-releases to older releases, particularly in cases where maintainers are no
-longer able to support and provide fixes.
+CVE remediation for Chainguard Libraries provides protection against
+critical and high CVEs. Applications often rely on older versions of libraries,
+but upstream maintainers may not apply and release patches for those versions.
+Chainguard addresses this gap by backporting vulnerability fixes
+from newer releases to older releases, particularly in cases where maintainers
+are no longer able to support and provide fixes.
 
 CVE remediation helps reduce risk for organizations that cannot always upgrade
-quickly, especially when a larger upgrade to newer versions forces often disruptive
-changes. CVE remediation makes multiple incremental patch versions of affected
-older versions available, allowing a very minor upgrade that only
-addresses the CVE, but does not introduce other changes.
+quickly, especially when moving to a newer version would introduce disruptive
+changes. Remediated artifacts are published as incremental patch versions, allowing teams to take a targeted fix for a CVE without taking on a broader upgrade at the same time.
 
 CVE remediation is available for a subset of [Chainguard Libraries for
-Python](/chainguard/libraries/python/overview/). If you want to request CVE
+Python](/chainguard/libraries/python/overview/) and [Chainguard Libraries for Java](/chainguard/libraries/java/overview/) (available in private preview). If you want to request CVE
 remediation for additional libraries, reach out to your account team.
 
 ## About CVE remediation
@@ -49,6 +46,14 @@ provides the option to make remediated versions available for your development
 or opt out of using these versions completely and continue to use upstream
 versions only.
 
+### Remediated version naming
+
+Chainguard publishes remediated versions using ecosystem-specific version suffixes.
+
+For Python, remediated packages use a `+cgr.N` local version suffix. For example, if `flask==1.1.2` has a remediated build, Chainguard publishes it as `flask==1.1.2+cgr.1`. Python package managers treat this as a higher-precedence local version of the base release, so remediated versions can be selected automatically during dependency resolution when the remediated index is configured.
+
+For Java, remediated artifacts use a `-0.cgr.N` suffix appended to the base version. For example, if `org.apache.commons:commons-lang3:3.18.0` has a remediated build, that build is published as org.apache.`commons:commons-lang3:3.18.0-0.cgr.1`. If Chainguard publishes another remediated iteration for the same base version, the trailing number increases, such as `-0.cgr.2` or `-0.cgr.3`.
+
 ### CVE remediation for vendored dependencies
 
 Some Python packages bundle compiled code written in other languages (such as Go, Rust, or C/C++) directly into their wheel. When a CVE exists in a dependency of that
@@ -65,24 +70,23 @@ in their results.
 
 ## Browse libraries with CVE remediation
 
-Remediated libraries are published in a dedicated PyPI-compatible index: `https://libraries.cgr.dev/python-remediated/` (simple index at `https://libraries.cgr.dev/python-remediated/simple/`). 
+Remediated libraries are published in dedicated repositories:
+- Python: In a PyPI-compatible index at `https://libraries.cgr.dev/python-remediated/` - the simple index is at `https://libraries.cgr.dev/python-remediated/simple/`
+- Java: In a repository at `https://libraries.cgr.dev/java-remediated/` - a companion to the standard Chainguard Libraries for Java repository at `https://libraries.cgr.dev/java/`
 
 You can:
 - Browse them in the Chainguard Console
 - Use the public VEX feed to understand what has been remediated
-    - This feed only covers backported Python-level CVEs, but does not include [vendored dependencies](#cve-remediation-for-vendored-dependencies).
+    - This feed does not include [vendored dependencies](#cve-remediation-for-vendored-dependencies).
 - View them in a browser at the simple index URL
-    - Learn more in [Python Overview > Manual access](/chainguard/libraries/python/overview/#manual-access).
+    - Learn more in [Python Overview > Manual access](/chainguard/libraries/python/overview/#manual-access) and in [Java Overview > Manual access](/chainguard/libraries/java/overview/#manual-access).
 - Expose them to your developers via a repo manager 
-    - Learn more in the Python global configuration docs:
-        - [JFrog Artifactory](/chainguard/libraries/python/global-configuration/#jfrog-artifactory)
-        - [Cloudsmith](/chainguard/libraries/python/global-configuration/#cloudsmith)
-        - [Sonatype Nexus](/chainguard/libraries/python/global-configuration/#sonatype-nexus-repository)
+    - Learn more in the global configuration docs for [Python](/chainguard/libraries/python/global-configuration/) and [Java](/chainguard/libraries/java/global-configuration/).
 
 
 ### Browse remediated libraries in the Chainguard Console
 
-In the Chainguard Console, navigate to the Python libraries, then click the **Remediated** tab. Click into a library to see which versions have remediated CVEs.
+In the Chainguard Console, navigate to the Python or Java libraries, then click the **Remediated** tab. Click into a library to see which versions have remediated CVEs.
 
 Learn more in [Browsing Chainguard libraries](/chainguard/libraries/browse/).
 
diff --git a/content/chainguard/libraries/java/build-configuration.md b/content/chainguard/libraries/java/build-configuration.md
index 8c57d41200..b2aea65fae 100644
--- a/content/chainguard/libraries/java/build-configuration.md
+++ b/content/chainguard/libraries/java/build-configuration.md
@@ -34,7 +34,11 @@ other engineers running relevant application builds. They must also be performed
 on any build server such as Jenkins, TeamCity, GitHub or other infrastructure
 that builds the applications or otherwise downloads and uses relevant libraries.
 
-## Cloudsmith
+## Library access approaches 
+
+### Repo manager
+
+#### Cloudsmith
 
 Build configuration to retrieve artifacts from Cloudsmith requires you to
 authenticate. Use your username and password for Cloudsmith in your build tool
@@ -44,7 +48,7 @@ Follow the steps from the [global
 configuration](/chainguard/libraries/java/global-configuration/#cloudsmith) to
 determine URL and authentication details.
 
-## JFrog Artifactory
+#### JFrog Artifactory
 
 Build configuration to retrieve artifacts from Artifactory typically requires
 you to authenticate and use the identity token in the configuration of your
@@ -54,7 +58,7 @@ Follow the steps from the [global
 configuration](/chainguard/libraries/java/global-configuration/#jfrog-artifactory)
 to determine URL and authentication details.
 
-## Sonatype Nexus Repository
+#### Sonatype Nexus Repository
 
 Build configuration to retrieve artifacts from Nexus may require authentication.
 Use your username and password for Nexus in your build tool configuration.
@@ -63,14 +67,73 @@ Follow the steps from the [global
 configuration](/chainguard/libraries/java/global-configuration/#sonatype-nexus-repository)
 to determine URL and authentication details.
 
-## Direct access
+### Direct access
 
 Build configuration to retrieve artifacts **directly** from the Chainguard
 Libraries
-for Java repository at `https://libraries.cgr.dev/java/` requires authentication
+for Java repository requires authentication
 with username and password from a pull token as detailed in
 [access documentation](/chainguard/libraries/access/#pull-token).
 
+If using Chainguard's [CVE remediation](/chainguard/libraries/cve-remediation/) for Java libraries (available in beta), set it as the top repository. The recommended ordering for repositories is:
+1. `https://libraries.cgr.dev/javascript/remediated/` for remediated Spring Boot libraries; this is available in beta as part of the [CVE Remediation](/chainguard/libraries/cve-remediation/) feature.
+1. `https://libraries.cgr.dev/javascript/`
+1. `https://repo1.maven.org/maven2/` or your Maven Central proxy
+
+
+
+## Selecting remediated library versions
+
+When using the [CVE remediation feature](/chainguard/libraries/cve-remediation/), available in beta to Chainguard Libraries for Java, your build will not receive a remediated Java artifact automatically with the overlay repository configured. To use the remediated build, you must opt in to the suffixed version directly, or route resolution to it through dependency management, Gradle constraints, or version ranges.
+
+### Update dependency version directly
+
+For Maven, you can set the suffixed version as a dependency in your `pom.xml`. For example:
+
+```xml
+<dependency>
+  <groupId>org.apache.commons</groupId>
+  <artifactId>commons-lang3</artifactId>
+  <version>3.18.0-0.cgr.1</version>
+</dependency>
+```
+
+For Gradle, you can set the suffixed version in the dependencies block in `build.gradle`:
+
+```build.gradle
+implementation 'org.apache.commons:commons-lang3:3.18.0-0.cgr.1'
+```
+
+### Override the version centrally
+
+When you use this option, the remediated version will apply to both direct and transitive dependencies.
+
+For Maven, update the `dependencyManagement` in a parent POM or the project POM:
+
+```xml
+<dependencyManagement>
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <version>3.18.0-0.cgr.1</version>
+    </dependency>
+  </dependencies>
+</dependencyManagement>
+```
+
+For Gradle, update the `constraints` block in `build.gradle`:
+
+```build.gradle
+dependencies {
+  constraints {
+    implementation('org.apache.commons:commons-lang3:3.18.0-0.cgr.1') {
+      because 'CVE remediation via Chainguard Libraries overlay'
+    }
+  }
+}
+```
+
 ## Apache Maven
 
 [Apache Maven](https://maven.apache.org/) is the most widely used build tool in
@@ -222,10 +285,10 @@ Java.
 If you are not using a repository manager at your organization, you can
 configure access to the Chainguard Libraries for Java repository directly.
 Ensure that the Chainguard repository is located above the necessary override
-for the built-in `central` repository and any other repositories.
+for the built-in `central` repository and any other repositories. If you are participating in the beta for CVE remediation, include the `https://libraries.cgr.dev/java-remediated/` repository first.
 
-The following `~/.m2/settings.xml` configures direct access with Chainguard as
-the primary repository and Maven Central as a fallback for transitive
+The following `~/.m2/settings.xml` configures direct access with Chainguard's remediated Java repository as
+the primary repository, falling back to the standard Chainguard Libraries repository when a remediated version is not available, and then to Maven Central as a fallback for transitive
 dependencies not available from Chainguard. It uses placeholder values
 `CG_PULLTOKEN_USERNAME` and `CG_PULLTOKEN_PASSWORD` or [environment
 variables](/chainguard/libraries/access/#env) for the pull token detailed in
@@ -240,6 +303,12 @@ variables](/chainguard/libraries/access/#env) for the pull token detailed in
     <profile>
       <id>no-repo-manager</id>
       <repositories>
+        <repository>
+          <id>chainguard-remediated</id>
+          <url>https://libraries.cgr.dev/java-remediated/</url>
+          <releases><enabled>true</enabled></releases>
+          <snapshots><enabled>false</enabled></snapshots>
+        </repository>
         <repository>
           <id>chainguard</id>
           <url>https://libraries.cgr.dev/java/</url>
@@ -414,6 +483,8 @@ cat > ~/.m2/settings.xml << EOF
 EOF
 ```
 
+If you are using Chainguard's remediated repository for Java libraries, make sure to add `https://libraries.cgr.dev/java-remediated/` first, as shown in the [direct access example](#direct-access) earlier on this page.
+
 **5. Build the project**
 
 Then build the project:
@@ -554,10 +625,18 @@ for your pull token credentials.
 
 Open `app/build.gradle` and update the `repositories` block to include the
 Chainguard repository. Ensure it is located above the `mavenCentral` repository
-and any other repositories:
+and any other repositories. If you are using Chainguard's [remediated library repository](/chainguard/libraries/cve-remediation/), set it as the top repository:
 
 ```groovy
 repositories {
+      maven {
+    url = uri("https://libraries.cgr.dev/java-remediated/")
+    credentials {
+      username = providers.environmentVariable("CHAINGUARD_JAVA_IDENTITY_ID").orNull
+      password = providers.environmentVariable("CHAINGUARD_JAVA_TOKEN").orNull
+    }
+  }
+    
     maven {
         url = uri("https://libraries.cgr.dev/java/")
         credentials {
@@ -644,6 +723,8 @@ repositories {
 }
 ```
 
+If you are using Chainguard's remediated repository for Java libraries, make sure to add `https://libraries.cgr.dev/java-remediated/` first, as shown in the [direct access example](#direct-access-to-chainguard-libraries) earlier in the Gradle section on this page.
+
 **4. Build the project**
 
 Run the following command:
diff --git a/content/chainguard/libraries/java/global-configuration.md b/content/chainguard/libraries/java/global-configuration.md
index 58fbe90887..cfab383870 100644
--- a/content/chainguard/libraries/java/global-configuration.md
+++ b/content/chainguard/libraries/java/global-configuration.md
@@ -75,44 +75,45 @@ by defining multiple upstream repositories.
 Use the following steps to add a repository with the Maven Central Repository
 and the Chainguard Libraries for Java repository as Maven upstream repositories. 
 
-Configure a *java-all* repository:
+Configure a `java-all` repository:
 
 1. Log in as a user with administrator privileges.
 1. Select the **Repositories** tab near the top of the screen.
 1. On the **Repositories** page, click the **+ New repository** button.
-1. Enter the name *java-all* for your new repository. The name should
-   include *java* to identify the ecosystem. This convention helps
+1. Enter the name `java-all` for your new repository. The name should
+   include `java` to identify the ecosystem. This convention helps
    avoid confusion since repositories in Cloudsmith are multi-format. 
 1. Select a storage region that is appropriate for your organization and
    infrastructure.
-1. Press **+ Create Repository**. 
+1. Click **+Create Repository**. 
 
 Configure an upstream proxy for the Maven Central Repository:
 
-1. Click the name of the new *java-public* repository on the repositories
+1. Click the name of the new `java-public` repository on the repositories
    page to configure it.
-1. Access the **Upstreams** tab and click **+ Add Upstream Proxy**.
-1. Configure an upstream proxy with the format **Maven** and the following details:
-1. Configure another upstream proxy with the following details
-    * **Name** *java-public*
-    * **Priority** *2*
-    * **Upstream URL** *https://repo1.maven.org/maven2/*
-    * **Mode** *Cache and Proxy*
-1. Press **Create Upstream Proxy**.
+1. Click the **Upstreams** tab, then click **+Add Upstream Proxy**.
+1. Configure an upstream proxy with the format **Maven**.
+1. Configure another upstream proxy with the following:
+    * **Name**: `java-public`
+    * **Priority**: `2`
+    * **Upstream URL**: `https://repo1.maven.org/maven2/`
+    * **Mode**: Cache and Proxy
+1. Click **Create Upstream Proxy**.
 
 Configure an upstream proxy for the Chainguard Libraries for Java repository:
 
-1. Click the name of the new *java-chainguard* repository on the repositories
+1. Click the name of the new `java-chainguard` repository on the repositories
    page to configure it.
-1. Access the **Upstreams** tab and click **+ Add Upstream Proxy**.
+1. Click the **Upstreams** tab, then click **+Add Upstream Proxy**.
 1. Configure an upstream proxy with the format **Maven** and the following details:
-    * **Name** *java-chainguard*
-    * **Priority** *1*
-    * **Proxy URL** *https://libraries.cgr.dev/java/*
-    * **Mode** *Cache and Proxy*
-    * Add the **Username** and **Password** value from [Chainguard Libraries
-      access](/chainguard/libraries/access/) in **Authentication Settings**
-1. Press **Create Upstream Proxy**.
+    * **Name**: `java-chainguard`
+    * **Priority**: `1`
+    * **Proxy URL**: `https://libraries.cgr.dev/java/`
+    * **Mode**: Cache and Proxy
+    * **Authentication Settings**: Enter the **Username** and **Password** value from [Chainguard Libraries
+      access](/chainguard/libraries/access/).
+1. Click **Create Upstream Proxy**.
+1. If you are using the separate repository with remediated Java libraries, repeat the preceding steps to create remote repository named `java-chainguard-remediated` with a URL set to `https://libraries.cgr.dev/java/remediated/`. Use the same authentication details.
 
 Use this setup for initial testing with Chainguard Libraries for Java. For
 production usage, add the `java-chainguard` upstream proxy to your production
@@ -124,7 +125,7 @@ The following steps allow you to determine the URL and authentication details
 for accessing the repository:
 
 1. Select the **Packages** tab.
-1. Press **Push/Pull Packages**.
+1. Click **Push/Pull Packages**.
 1. Choose the format **Maven**.
 1. Copy the value in the `<url>` tag from the XML snippet with the
    `<repositories>` entry. For example,
@@ -133,16 +134,16 @@ for accessing the repository:
    repository `java-all` as well as `maven` as identifier for the format are
    part of the URL.
 1. Copy the username and password values block from the second code snippet for
-   authentication after choosing the desired authentication of *Default* or
-   *API Key*.
+   authentication after choosing the desired authentication of **Default** or
+   **API Key**.
 
 Choose a different format and the equivalent sections if you are using another
 build tools such as Gradle.
 
 Use the URL of the repository, the username, and the password for the server
 authentication block in the [build
-configuration](/chainguard/libraries/java/build-configuration/). and build a
-first test project. In a working setup all libraries retrieved from Chainguard
+configuration](/chainguard/libraries/java/build-configuration/) and build a
+first test project. In a working setup, all libraries retrieved from Chainguard
 are tagged with the name of the upstream proxy.
 
 <a name="gar"></a>
@@ -173,57 +174,60 @@ Before configuring the repositories, you must create a secret with the [password
 value as retrieved with chainctl](/chainguard/libraries/access/):
 
 1. Navigate to the **Secret Manager**
-1. Press **Create secret**. 
-1. Set the **Name** to *chainguard-libraries-java*.
-1. Use the **Password** from chainctl output to set the **Secret value**.
-1. Press **Create secret**.
+1. Click **Create secret**. 
+1. Set the **Name** to `chainguard-libraries-java`.
+1. Set the **Secret** value to the password from your `chainctl` output.
+1. Click **Create secret**.
 
 Navigate to Artifact Registry and select **Repositories** in the left hand
 navigation under the **Artifact Registry** label to configure a remote
 repository for the Maven Central Repository:
 
-1. Press **Create a Repository** or the **+** button.
-1. Set the **Name** to *java-public*.
-1. Set the **Format** to *Maven*.
-1. Select *Remote* for the **Mode**.
-1. Select *Maven Central* for the **Remote repository source**.
-1. Choose a suitable **Region** for your development in **Location type**.
-1. Press **Create**.
+1. Click **Create a Repository** (or the **+** button).
+1. Configure the repository:
+    * **Name**: `java-public`
+    * **Format**: Maven
+    * **Mode**: Remote
+    * **Remote repository source**: Maven Central
+    * **Location type > Region**: Select a region.
+1. Click **Create**.
 
 Configure a remote repository for the Chainguard Libraries for Java repository:
 
-1. Press the **+** button to add another repository.
-1. Set the **Name** to *java-chainguard*.
-1. Set the **Format** to *Maven*.
-1. Select *Remote* for the **Mode**.
-1. Select *Custom* for the **Remote repository source**.
-1. Set the URL for the Custom repository to *https://libraries.cgr.dev/java/*.
-1. Select *Authenticated* in **Remote repository authentication mode**.
-1. Set **Username for the upstream repository** to the [value as retrieved
+1. Click **+** to add another repository.
+1. Configure the repository:
+    * **Name**: `java-chainguard`
+    * **Format**: `Maven`
+    * **Mode**: Remote
+    * **Remote repository source**: Custom
+    * **Custom repository URL**: `https://libraries.cgr.dev/java/`
+    * **Remote repository authentication mode**: Authenticated
+    * **Username for the upstream repository**: Set this to the [value as retrieved
    with chainctl](/chainguard/libraries/access/).
-1. Select the *chainguard-libraries-java* secret in the list for the **Secret** input.
-1. Choose the same suitable **Region** for your development in **Location type**
-   as configured for the *java-public* repository.
-1. Press **Create**.
-
-Combine the two repositories in a new virtual repository:
-
-1. Press the **+** button to add another repository.
-1. Set the **Name** to *java-all*.
-1. Set the **Format** to *Maven*.
-1. Select *Virtual* for the **Mode**.
-1. Press **Add upstream repository** in **Virtual upstream repositories**.
-1. Use the **Browse** button to locate and select the *java-chainguard*
+    * **Secret**: Select the `chainguard-libraries-java` secret in the list.
+    * **Location type > Region**: Select the same region configured for your `java-public` repository.
+1. Click **Create**.
+1. If you are using the separate repository with remediated Java libraries, repeat the preceding steps to create remote repository named `java-chainguard-remediated` with a URL set to `https://libraries.cgr.dev/java/remediated/`. Use the same authentication details.
+
+Combine the repositories in a new virtual repository:
+
+1. Click the **+** button to add another repository.
+1. Configure the repository:
+    * **Name**: `java-all`
+    * **Format**: Maven
+    * **Mode**: Virtual
+1. Under **Virtual upstream repositories**, click **Add upstream repository**.
+1. Use the **Browse** button to locate and select the `java-chainguard`
    repository as **Repository 1** and set the **Policy name 1** to
-   *java-chainguard*.
-1. Use the **Browse** button to locate and select the *java-public* repository
-   as **Repository 1** and set the **Policy name 1** to *java-public*.
-1. Press **Add upstream repository** in **Virtual upstream repositories**.
-1. Set the **Priority** value for the *java-chainguard* policy name to a higher
-   value than the *java-public* priority value.
-1. Choose the same suitable **Region** for your development in **Location type**
-   as configured for the *java-public* repository.
-1. Press **Create**.
+   `java-chainguard`. 
+1. Use the **Browse** button to locate and select the `java-public` repository
+   as **Repository 1** and set the **Policy name 1** to `java-public`.
+1. Under **Virtual upstream repositories**, click **Add upstream repository**.
+1. Set the **Priority** value for the `java-chainguard` policy name to a higher
+   value than the `java-public` priority value.
+   * If you are using the remediated repository, add the `java-chainguard-remediated` repository and ensure it is the first in the displayed list. If not, ensure the `java-chainguard` repository is first. 
+1. Under **Location type**, choose the same suitable **Region** for your development as configured for the `java-public` repository.
+1. Click **Create**.
 
 ### Build tool access
 
@@ -232,13 +236,13 @@ repository:
 
 1. Navigate to Artifact Registry and select **Repositories** in the left hand
    navigation under the **Artifact Registry** label.
-1. Click on the **java-all** repository name in the list of repositories.
-1. Press the **Setup instructions** button and follow the documentation. Note
+1. Click the `java-all` repository name in the list of repositories.
+1. Click **Setup instructions** and follow the documentation. Note
    that you must add the extension
    `com.google.cloud.artifactregistry:artifactregistry-maven-wagon` to each
    project.
 
-In a working setup, the **chainguard** remote repository contains all artifacts
+In a working setup, the `chainguard` remote repository contains all artifacts
 retrieved from Chainguard.
 
 <a name="artifactory"></a>
@@ -258,43 +262,45 @@ Libraries for Java repository as remote repositories and combine them as a
 virtual repository:
 
 1. Log in as a user with administrator privileges.
-1. Press **Administration** in the top navigation bar.
+1. Click **Administration** in the top navigation bar.
 1. Select **Repositories** in the left hand navigation.
 
 Configure a remote repository for the Maven Central Repository:
 
-1. Press **Create a Repository** and choose the **Remote** option.
-1. Select *Maven* as the **Package type**.
-1. Set the **Repository Key** to *java-public*.
-1. Set the **URL** to *https://repo1.maven.org/maven2/* .
-1. Deactivate **Maven Settings - Handle Snapshots**.
-1. Press **Create Remote Repository**.
+1. Click **Create a Repository** and choose the **Remote** option.
+1. Configure the repository:
+    * **Package type**: Maven
+    * **Repository Key**: `java-public`
+    * **URL**: `https://repo1.maven.org/maven2/`
+    * Deactivate **Maven Settings - Handle Snapshots**.
+1. Click **Create Remote Repository**.
 
 Configure a remote repository for the Chainguard Libraries for Java repository:
 
-1. Press **Create a Repository** and choose the **Remote** option.
-1. Select *Maven* as the **Package type**.
-1. Set the **Repository Key** to *java-chainguard*.
-1. Set the **URL** to *https://libraries.cgr.dev/java/*.
-1. Set **User Name** and **Password / Access Token** to the [values as retrieved
-   with chainctl](/chainguard/libraries/access/).
-1. Optionally click the **Test** button to verify connection and authentication.
-1. Deactivate **Maven Settings - Handle Snapshots**.
-1. Access the **Advanced** configuration tab and deactivate the **Block
-   Mismatching Mime Types** setting in the **Others** section.
-1. Press **Create Remote Repository**.
-
-Combine the two repositories in a new virtual repository:
-
-1. Press **Create a Repository** and choose the **Virtual** option.
-1. Select *Maven* as the **Package type**.
-1. Set the **Repository Key** to *java-all*.
-1. Scroll down to the **Repositories** section
-1. Add the *java-chainguard* and *java-public* repositories. Ensure the
-   *java-chainguard* repository is the first in the displayed list. Use the icon
-   on the right of the repository name to drag and drop repositories into the
+1. Click **Create a Repository** and choose the **Remote** option.
+1. Configure the repository:
+    * **Package type**: Maven
+    * **Repository Key**: `java-chainguard`
+    * **URL**: `https://libraries.cgr.dev/java/`
+    * **User Name** and **Password / Access Token**: Set to the [values as retrieved with chainctl](/chainguard/libraries/access/).
+    * Deactivate **Maven Settings - Handle Snapshots**.
+1. Optionally click **Test** to verify connection and authentication.
+1. Click the **Advanced** configuration tab. Under the **Others** section, deactivate the **Block
+   Mismatching Mime Types** setting.
+1. Click **Create Remote Repository**.
+1. If you are using the separate repository with remediated Java libraries, repeat the preceding steps to create remote repository named `java-chainguard-remediated` with a URL set to `https://libraries.cgr.dev/java/remediated/`. Use the same authentication details.
+
+Combine the repositories in a new virtual repository:
+
+1. Click **Create a Repository** and choose the **Virtual** option.
+1. Configure the repository:
+    * **Package type**: Maven
+    * **Repository Key**: `java-all`
+1. Scroll down to the **Repositories** section.
+1. Add the `java-chainguard` and `java-public` repositories. Drag and drop repositories into the
    desired position.
-1. Press **Create Virtual Repository**.
+    * If you are using the remediated repository, add the `java-chainguard-remediated` repository and ensure it is the first in the displayed list. If not, ensure the `java-chainguard` repository is first. 
+1. Click **Create Virtual Repository**.
 
 Use this setup for initial testing with Chainguard Libraries for Java. For
 production usage add the `java-chainguard` repository to your production virtual
@@ -340,16 +346,16 @@ Do not proceed to virtual repository setup or build configuration until the chec
 The following steps allow you to determine the URL and authentication details
 for accessing the repository:
 
-1. Press **Administration** in the top navigation bar.
+1. Click **Administration** in the top navigation bar.
 1. Select **Repositories** in the left hand navigation.
 1. Select the **Virtual** tab in the repositories view.
-1. Locate the **chainguard-maven** repository.
+1. Locate the `chainguard-maven` repository.
 1. Hover over the row and click the **...** in the last column on the right.
 1. Select **Set Me Up** in the dialog.
-1. Press **Generate Token & Create Instructions**
+1. Click **Generate Token & Create Instructions**.
 1. Copy the generated token value to use as the password for authentication.
-1. Press **Generate Settings**.
-1. Copy the value from a *url* field. They are all identical. For example,
+1. Click **Generate Settings**.
+1. Copy the value from a **url** field. They are all identical. For example,
    `https://exampleorg.jfrog.io/artifactory/java-all/` with `exampleorg`
    replaced with the name of your organization.
 
@@ -364,9 +370,9 @@ all libraries retrieved from Chainguard.
 
 [Sonatype Nexus
 Repository](https://www.sonatype.com/products/sonatype-nexus-repository)
-includes a *maven-public* repository group out of the box. It groups access to
-the Maven Central Repository from the *maven-central* repository with the
-internal *maven-releases* and *maven-snapshot* repositories. Refer to the [Maven
+includes a `maven-public` repository group out of the box. It groups access to
+the Maven Central Repository from the `maven-central` repository with the
+internal `maven-releases` and `maven-snapshot` repositories. Refer to the [Maven
 Repositories documentation for
 Nexus](https://help.sonatype.com/en/maven-repositories.html) for more
 information.
@@ -381,41 +387,41 @@ repository for the Maven Central Repository, a separate proxy repository
 Chainguard Libraries for Java repository, and a separate repository group:
 
 1. Log in as a user with administrator privileges.
-1. Access the **Server administration** and configuration section with the gear
-   icon in the top navigation bar.
+1. Click the gear icon in the top navigation bar to access **Server administration**.
 
 Configure a remote repository for the Maven Central Repository:
 
 1. Select **Repository - Repositories** in the left hand navigation.
-1. Press **Create repository**.
-1. Select the **maven2 (proxy)** recipe.
-1. Provide a new name *java-public*.
-1. Ensure **Maven 2 - Version policy** is set to *Release*.
-1. In the **Proxy - Remote storage** input add the URL *https://repo1.maven.org/maven2/*.
-1. Press **Create repository**.
+1. Click **Create repository**, then select the `maven2 (proxy)` recipe.
+1. Configure the repository:
+    * **Name**: `java-public`
+    * **Maven 2 - Version policy**: `Release`
+    * **Proxy - Remote storage**: Add the URL `https://repo1.maven.org/maven2/`.
+1. Click **Create repository**.
 
 Configure a remote repository for the Chainguard Libraries for Java repository:
 
 1. Select **Repository - Repositories** in the left hand navigation.
-1. Press **Create repository**.
-1. Select the **maven2 (proxy)** recipe.
-1. Provide a new name *java-chainguard*.
-1. Ensure **Maven 2 - Version policy** is set to *Release*.
-1. In the **Proxy - Remote storage** input add the URL *https://libraries.cgr.dev/java/*.
-1. In **HTTP - Authentication** with the **Authentication type** *username*,
+1. Click **Create repository**, then select the `maven2 (proxy)` recipe.
+1. Configure the repository:
+    * **Name**: `java-chainguard`
+    * **Maven 2 - Version policy**: `Release`.
+    * **Proxy - Remote storage**: Add the URL `https://libraries.cgr.dev/java/`
+    * **HTTP - Authentication** Select the `username` **Authentication type**, and
    provide the [username and password values as retrieved with
    chainctl](/chainguard/libraries/access/).
-1. Press **Create repository**. 
+1. Click **Create repository**. 
+1. If you are using the separate repository with remediated Java libraries, repeat the preceding steps to create remote repository named `java-chainguard-remediated` with a URL set to `https://libraries.cgr.dev/java/remediated/`. Use the same authentication details.
 
-Combine a new repository group and add the two repositories:
+Combine a new repository group and add the repositories:
 
 1. Select **Repository - Repositories** in the left hand navigation.
-1. Press **Create repository**.
-1. Select the **maven2 (group)** recipe.
-1. Provide a new name *java-all*.
-1. In the section **Group - Member repositories**, move the new repositories
-   `java-public` and `java-chainguard` to the right and move the
-   `java-chainguard` repository to the top of the list with the arrow control.
+1. Click **Create repository**, then select the `maven2 (group)` recipe.
+1. Configure the repository:
+    * **Name**: `java-all`
+    * Under **Group - Member repositories**, move the new repositories
+   `java-public` and `java-chainguard` to the right. Move the
+   `java-chainguard` repository to the top of the list with the arrow control. If you are using the remediated repository, move the `java-chainguard-remediated` repository to the top.
 
 ### Build tool access
 
@@ -424,17 +430,17 @@ for accessing the repository:
 
 1. Click **Browse** in the **Welcome** view or the browse icon (cube) in the top
    navigation bar.
-1. Locate the **URL** column for the *java-all* repository group and press
-   **copy**. For example, `https://repo.example.com/repository/java-all/` with
-   `repo.example.com` replaced with the hostname of your repository manager.
-1. Copy the URL in the dialog.
-1. Use your configured username and password unless **Security** - **Anonymous
-   Access** - **Access** - **Allow anonymous users to access the server** is
+1. Locate the **URL** column for the `java-all` repository group and click
+   **Copy**. 
+     * For example, `https://repo.example.com/repository/java-all/` (with
+   `repo.example.com` replaced with the hostname of your repository manager).
+1. Use your configured username and password, unless **Security > Anonymous
+   Access > Access > Allow anonymous users to access the server** is
    activated. Details vary based on your configured authentication system.
 
 Use the URL of the repository group, such as
-*https://repo.example.com/repository/java-all/* or
-*https://repo.example.com/repository/maven-public/* in the [build
+`https://repo.example.com/repository/java-all/` or
+`https://repo.example.com/repository/maven-public/` in the [build
 configuration](/chainguard/libraries/java/build-configuration/) and build a 
 first test project. In a working setup the `java-chainguard` proxy repository contains
 all libraries retrieved from Chainguard.
diff --git a/content/chainguard/libraries/java/overview.md b/content/chainguard/libraries/java/overview.md
index 0f306130d8..72fc4ca949 100644
--- a/content/chainguard/libraries/java/overview.md
+++ b/content/chainguard/libraries/java/overview.md
@@ -115,6 +115,16 @@ Alternatively, you can use the token for direct access from a build tool as
 discussed in [Build
 configuration](/chainguard/libraries/java/build-configuration/).
 
+## CVE remediation
+
+Chainguard Libraries for Java includes the [CVE
+Remediation](/chainguard/libraries/cve-remediation/) feature, available in beta for Spring Boot. Remediated
+libraries include an appended local version identifier of `-0.cgr.N`. 
+
+For example, if `org.apache.commons:commons-lang3:3.18.0` has a remediated build, that build is published as `org.apache.commons:commons-lang3:3.18.0-0.cgr.1`. If Chainguard publishes another remediated iteration for the same base version, the trailing number increases, such as `-0.cgr.2` or `-0.cgr.3`.
+
+Maven and Gradle treat the `-0` as part of the version ordering. In practice, `3.18.0-0.cgr.1` sorts higher than `3.18.0`. This means version ranges or dependency management rules can resolve to the remediated build when the overlay repository is available.
+
 <a id="manual"></a>
 
 ## Manual access
diff --git a/content/software-security/learning-labs/ll202604.md b/content/software-security/learning-labs/ll202604.md
index 0ecc4c0b94..e7caa123b0 100644
--- a/content/software-security/learning-labs/ll202604.md
+++ b/content/software-security/learning-labs/ll202604.md
@@ -15,7 +15,7 @@ toc: true
 ---
 
 The April 2026 Learning Lab with Erika Heidi goes through how attackers exploit vulnerable GitHub Actions workflows, and how Chainguard can protect your CI/CD pipelines from these threats. 
-{{< youtube D9tORVR4H9g }}
+{{< youtube D9tORVR4H9g >}}
 
 ## Sections