diff --git a/ChangeLog b/ChangeLog
index 37a11c22..98e81908 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,46 @@
+Version 2.0.43 (March 16, 2023)
+-------------------------------
+
+* Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592)
+
+ Creating an RSS feed item with the inline description containing an `![]()
` tag
+ with a `srcset` attribute pointing to an invalid URL like
+ `http:a`, we can coerce the proxy handler into an error
+ condition where the invalid URL is returned unescaped and in full.
+
+ This results in JavaScript execution on the Miniflux instance as soon as the
+ user is convinced to open the broken image.
+
+* Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591)
+
+ HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As
+ such, it cannot be used to test if the client IP is allowed.
+
+ The recommendation is to use HTTP Basic authentication to protect the
+ metrics endpoint, or run Miniflux behind a trusted reverse-proxy.
+
+* Add HTTP Basic authentication for `/metrics` endpoint
+* Add proxy support for several media types
+* Parse feed categories from RSS, Atom and JSON feeds
+* Ignore empty link when discovering feeds
+* Disable CGO explicitly to make sure the binary is statically linked
+* Add CSS classes to differentiate between category/feed/entry view and icons
+* Add rewrite and scraper rules for `blog.cloudflare.com`
+* Add `color-scheme` to themes
+* Add new keyboard shortcut to toggle open/close entry attachments section
+* Sanitizer: allow `id` attribute in `` element
+* Add Indonesian Language
+* Update translations
+* Update Docker Compose examples:
+ - Run the application in one command
+ - Bring back the health check condition to `depends_on`
+ - Remove deprecated `version` element
+* Update scraping rules for `ilpost.it`
+* Bump `github.com/PuerkitoBio/goquery` from `1.8.0` to `1.8.1`
+* Bump `github.com/tdewolff/minify/v2` from `2.12.4` to `2.12.5`
+* Bump `github.com/yuin/goldmark` from `1.5.3` to `1.5.4`
+* Bump `golang.org/x/*` dependencies
+
Version 2.0.42 (January 29, 2023)
---------------------------------