diff --git a/lucene/CHANGES.txt b/lucene/CHANGES.txt
index 15ee38cdca1..15a0dee014f 100644
--- a/lucene/CHANGES.txt
+++ b/lucene/CHANGES.txt
@@ -296,6 +296,12 @@ Build
 
 ======================== Lucene 9.12.0 =======================
 
+Security Fixes
+---------------------
+
+* Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator - CVE-2024-45772
+ (Summ3r from Vidar-Team, Robert Muir, Paul Irwin)
+
 API Changes
 ---------------------
 
@@ -488,6 +494,8 @@ Other
 * GITHUB#13720: Add float comparison based on unit of least precision and use it to stop test failures caused by float
   summation not being associative in IEEE 754. (Alex Herbert, Stefan Vodita)
 
+* Remove code triggering forbidden-apis regarding Java serialization. (Uwe Schindler, Robert Muir)
+
 ======================== Lucene 9.11.1 =======================
 
 Bug Fixes