diff --git a/docs/source/changelog.rst b/docs/source/changelog.rst
index 685abc594..f623cc6c3 100644
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@@ -31,13 +31,14 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
 - Further improve compatibility with tornado 6 with improved
   checks for when websockets are closed.
 - Fix regression in 5.7.6 on Windows where .js files could have the wrong mime-type.
+- Fix Open Redirect vulnerability where certain malicious URLs could redirect from the Jupyter login page to a malicious site after a successful login. A CVE has been requested for this vulnerability.
 
 .. _release-5.7.6:
 
 5.7.6
 -----
 
-5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
+5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644),
 where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server.
 The fix involves setting the ``X-Content-Type-Options: nosniff``
 header, and applying CSRF checks previously on all non-GET
@@ -45,7 +46,6 @@ API requests to GET requests to API endpoints and the /files/ endpoint.
 
 The attacking page is able to access some contents of files when using Internet Explorer through script errors,
 but this has not been demonstrated with other browsers.
-A CVE has been requested for this vulnerability.
 
 .. _release-5.7.5: