diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index a6cd2d1cf5..132cda51cc 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -93,6 +93,12 @@ Changelog
  * Fix: Prevent delete button showing on collection / workflow edit views when delete permission is absent (Helder Correia)
 
 
+2.11.7 (19.04.2021)
+~~~~~~~~~~~~~~~~~~~
+
+ * Fix: CVE-2021-29434 - fix improper validation of URLs ('Cross-site Scripting') in rich text fields (Kevin Breen, Matt Westcott)
+
+
 2.11.6 (05.03.2021)
 ~~~~~~~~~~~~~~~~~~~
 
diff --git a/docs/releases/2.11.7.rst b/docs/releases/2.11.7.rst
new file mode 100644
index 0000000000..e03f72fb91
--- /dev/null
+++ b/docs/releases/2.11.7.rst
@@ -0,0 +1,18 @@
+============================
+Wagtail 2.11.7 release notes
+============================
+
+.. contents::
+    :local:
+    :depth: 1
+
+
+What's new
+==========
+
+CVE-2021-29434: Improper validation of URLs ('Cross-site Scripting') in rich text fields
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This release addresses a cross-site scripting (XSS) vulnerability in rich text fields. When saving the contents of a rich text field in the admin interface, Wagtail did not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
+
+Many thanks to Kevin Breen for reporting this issue.
diff --git a/docs/releases/index.rst b/docs/releases/index.rst
index b0896291e3..0530ff5e01 100644
--- a/docs/releases/index.rst
+++ b/docs/releases/index.rst
@@ -11,6 +11,7 @@ Release notes
    2.12.2
    2.12.1
    2.12
+   2.11.7
    2.11.6
    2.11.5
    2.11.4