diff --git a/NEWS b/NEWS
index 8373c66329a..0539611812d 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,13 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.1.28
 
+- Standard:
+  . Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
+    parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
+  . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
+    partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
+  . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
+    opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
 
 21 Dec 2023, PHP 8.1.27