diff --git a/CHANGES b/CHANGES
index df27c5bfef58aaf8484d4956dd1446c5f4662ec9..3229d08bbba4b2e0562d4b2500411674c6ca0e6e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -276,6 +276,11 @@ o Thread.ResourceCount
 
   Fixed mutex handling.
 
+o Tools.Standalone.httpserver
+
+  The builtin webserver tool shipped with Pike (pike -x httpserver) was
+  previously susceptible to a directory traversal attack via URL encoding.
+
 Building & Tools
 ----------------