diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2bca45e8..3d2a0165a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 - relay: fix timing attack on password authentication ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc))
 - api, relay: fix timing attack on TOTP validation ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc))
 - xfer: replace directory separator in remote nick by underscore in download filename to prevent writing the file outside the download directory
+- xfer: fix out-of-bounds read when receiving empty line in DCC chat ([#2323](https://github.com/weechat/weechat/issues/2323))
 
 ## Version 4.9.1 (2026-05-31)