diff --git a/copyparty/__version__.py b/copyparty/__version__.py
index fdb3f3d1..e2db10bb 100644
--- a/copyparty/__version__.py
+++ b/copyparty/__version__.py
@@ -1,6 +1,6 @@
 # coding: utf-8
 
-VERSION = (1, 20, 9)
+VERSION = (1, 20, 10)
 CODENAME = "sftp is fine too"
 BUILD_DT = (2026, 2, 25)
 
diff --git a/docs/changelog.md b/docs/changelog.md
index 5635f22a..67389cdc 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,16 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2026-0225-0834  `v1.20.9`  SECURITY: XSS fix
+
+## ⚠️ ATTN: this release fixes an XSS vulnerability
+
+[GHSA-62cr-6wp5-q43h](https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h) could let an attacker execute arbitrary JS by tricking you into clicking a malicious link 31b2801f
+
+## 🔧 other changes
+
+* webdav: [dav-port](https://copyparty.eu/cli/#g-dav-port) can be used as an alternative to [daw](https://copyparty.eu/cli/#g-daw) d21242fc
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2026-0222-1507  `v1.20.8`  no265