diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst
index b8f9f6f50..2c4b6f122 100644
--- a/docs/releasenotes/8.3.0.rst
+++ b/docs/releasenotes/8.3.0.rst
@@ -61,7 +61,17 @@ format, through the new ``bitmap_format`` argument::
 Security
 ========
 
-TODO
+Parsing XML
+^^^^^^^^^^^
+
+Pillow previously parsed XMP data using Python's ``xml`` module. However, this module
+is not secure.
+
+- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve
+  orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead.
+- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It
+  will now use ``defusedxml`` instead. If the dependency is not present, an empty
+  dictionary will be returned and a warning raised.
 
 Other Changes
 =============