diff --git a/CHANGELOG.md b/CHANGELOG.md
index 023d2705a..486056225 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -247,6 +247,11 @@ and CXX to the cross compilers, then run configure as follows:
 
 ### vhost
 
+A security vulnerability has been identified and fixed in SPDK Vhost-SCSI target.
+A malicious client (e.g. a virtual machine) could send a carefully prepared,
+invalid I/O request to crash the entire SPDK process. All users of SPDK Vhost-SCSI
+target are strongly recommended to update. All SPDK versions < 19.07 are affected.
+
 By default, SPDK will now rely on upstream DPDK's rte_vhost instead of its fork
 located inside SPDK repo. The internal fork is still kept around to support older
 DPDK versions, but is considered legacy and will be eventually removed.
@@ -256,6 +261,13 @@ version is >= 19.05.
 
 spdk_vhost_init() is now asynchronous and accepts a completion callback.
 
+### iscsi target
+
+A security vulnerability has been identified and fixed in SPDK iSCSI target.
+A malicious client (e.g. an iSCSI initiator) could send a carefully prepared,
+invalid I/O request to crash the entire SPDK process. All users of SPDK iSCSI
+target are strongly recommended to update. All SPDK versions < 19.07 are affected.
+
 ### thread
 
 Exposed spdk_set_thread() in order for applications to associate