diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index b41eea13b56..33b6b3dcd6f 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -11,6 +11,12 @@ This is a quick hotfix to the previous version.
 Version 3.5.1
 -------------
 
+This version contained a `security fix <https://github.com/rtfd/readthedocs.org/security/advisories/GHSA-2mw9-4c46-qrcv>`_
+for an open redirect issue.
+The problem has been fixed and deployed on readthedocs.org.
+For users who depend on the Read the Docs code line for a private instance of Read the Docs,
+you are encouraged to update to 3.5.1 as soon as possible.
+
 :Date: June 11, 2019
 
 * `@stsewd <http://github.com/stsewd>`__: Update build images in docs (`#5782 <https://github.com/rtfd/readthedocs.org/pull/5782>`__)
diff --git a/docs/security.rst b/docs/security.rst
index 4264cb8c6af..d71a7974c93 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -87,7 +87,7 @@ Security issue archive
 Version 3.5.1
 ~~~~~~~~~~~~~
 
-Version 3.5.1 fixed an issue where that affected projects with "prefix" or "sphinx" user-defined redirects.
+:ref:`changelog:Version 3.5.1` fixed an issue that affected projects with "prefix" or "sphinx" user-defined redirects.
 The issue allowed the creation of hyperlinks that looked like they would go to a documentation domain
 on Read the Docs (either ``*.readthedocs.io`` or a custom docs domain) but instead went to a different domain.