diff --git a/CHANGES b/CHANGES
index 8f5dff5f6..7069c28ea 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2007,3 +2007,6 @@
 * redis: Set maxmemory and maxmemory-policy
 * Add mlock capability to manifest (for vault app)
 
+[5.4.0]
+* Update nginx to 1.18 for various security fixes
+
diff --git a/baseimage/initializeBaseUbuntuImage.sh b/baseimage/initializeBaseUbuntuImage.sh
index 1d52bf154..35ef8f7fc 100755
--- a/baseimage/initializeBaseUbuntuImage.sh
+++ b/baseimage/initializeBaseUbuntuImage.sh
@@ -13,6 +13,8 @@ function die {
 
 export DEBIAN_FRONTEND=noninteractive
 
+readonly ubuntu_codename=$(lsb_release -cs)
+
 # hold grub since updating it breaks on some VPS providers. also, dist-upgrade will trigger it
 apt-mark hold grub* >/dev/null
 apt-get -o Dpkg::Options::="--force-confdef" update -y
@@ -52,16 +54,11 @@ apt-get -y install \
     unbound \
     xfsprogs
 
-if [[ "${ubuntu_version}" == "16.04" ]]; then
-    echo "==> installing nginx for xenial for TLSv3 support"
-
-    curl -sL http://nginx.org/packages/ubuntu/pool/nginx/n/nginx/nginx_1.14.0-1~xenial_amd64.deb -o /tmp/nginx.deb
-    # apt install with install deps (as opposed to dpkg -i)
-    apt install -y /tmp/nginx.deb
-    rm /tmp/nginx.deb
-else
-    apt install -y nginx-full
-fi
+echo "==> installing nginx for xenial for TLSv3 support"
+curl -sL http://nginx.org/packages/ubuntu/pool/nginx/n/nginx/nginx_1.18.0-1~${ubuntu_codename}_amd64.deb -o /tmp/nginx.deb
+# apt install with install deps (as opposed to dpkg -i)
+apt install -y /tmp/nginx.deb
+rm /tmp/nginx.deb
 
 # on some providers like scaleway the sudo file is changed and we want to keep the old one
 apt-get -o Dpkg::Options::="--force-confold" install -y sudo
diff --git a/scripts/cloudron-setup b/scripts/cloudron-setup
index 03ac36eb2..44a803847 100755
--- a/scripts/cloudron-setup
+++ b/scripts/cloudron-setup
@@ -106,12 +106,6 @@ if [[ "${initBaseImage}" == "true" ]]; then
         exit 1
     fi
 
-    echo "=> Ensure required apt sources"
-    if ! add-apt-repository universe &>> "${LOG_FILE}"; then
-        echo "Could not add required apt sources (for nginx-full). See ${LOG_FILE}"
-        exit 1
-    fi
-
     echo "=> Updating apt and installing script dependencies"
     if ! apt-get update &>> "${LOG_FILE}"; then
         echo "Could not update package repositories. See ${LOG_FILE}"
diff --git a/scripts/installer.sh b/scripts/installer.sh
index a98fc4681..ddb3c7117 100755
--- a/scripts/installer.sh
+++ b/scripts/installer.sh
@@ -58,9 +58,9 @@ if [[ $(docker version --format {{.Client.Version}}) != "18.09.2" ]]; then
 fi
 
 readonly nginx_version=$(nginx -v)
-if [[ "${nginx_version}" != *"1.14."* && "${ubuntu_version}" == "16.04" ]]; then
-    echo "==> installer: installing nginx for xenial for TLSv3 support"
-    curl -sL http://nginx.org/packages/ubuntu/pool/nginx/n/nginx/nginx_1.14.0-1~xenial_amd64.deb -o /tmp/nginx.deb
+if [[ "${nginx_version}" != *"1.18."* ]]; then
+    echo "==> installer: installing nginx 1.18"
+    curl -sL http://nginx.org/packages/ubuntu/pool/nginx/n/nginx/nginx_1.18.0-1~${ubuntu_codename}_amd64.deb -o /tmp/nginx.deb
     # apt install with install deps (as opposed to dpkg -i)
     apt install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes /tmp/nginx.deb
     rm /tmp/nginx.deb