diff --git a/NEWS b/NEWS
index 18d47a537..2a83c35e1 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ ELinks 0.11.3.GIT now:
 To be released as 0.11.4.
 
 * critical bug 945: don't crash if a Lua script calls e.g. error(nil)
+* CVE-2007-2027: check if the program path contains "src/" before
+  using ../po files
 * important Debian bug 380347: prevent a buffer overflow in entity_cache
   and a possible subsequent crash
 * bug 691: don't look up bogus IPv4 addresses based on characters of a