diff --git a/_includes/manuals/3.8/1.2_release_notes.md b/_includes/manuals/3.8/1.2_release_notes.md
index 05da90ffeb..f0f377b340 100644
--- a/_includes/manuals/3.8/1.2_release_notes.md
+++ b/_includes/manuals/3.8/1.2_release_notes.md
@@ -13,11 +13,21 @@ The parameters still exist and can be specified, but the average user shouldn't
### Upgrade warnings
-### Foreman Redis caching DB changed to 4
+#### Foreman Redis caching DB changed to 4
Since Foreman 3.6 Foreman can be easily configured to use Redis for caching (using `--foreman-rails-cache-store type:redis`).
Starting Foreman 3.8 this uses DB 4, instead of DB 0, to avoid potential conflicts with other software.
+#### `ct_command` and `fcct_command` settings replaced with `(fc)ct_location` and `(fc)ct_arguments`
+
+To fix [CVE-2022-3874](/security.html#2022-3874) the settings for the CoreOS and Fedora CoreOS
+transpiler commands were changed to individual settings for the location of the binary and the
+arguments passed to it.
+During the upgrade the location of the binaries will be automatically changed to `/usr/bin/ct`
+and `/usr/bin/fcct`. Setting the binary location to any other path requires changes to
+`settings.yaml`, as different locations are forbidden by default.
+The arguments are automatically migrated from the old settings to the new ones.
+
### Release Notes
### Release notes for 3.8.0
diff --git a/_includes/manuals/nightly/1.2_release_notes.md b/_includes/manuals/nightly/1.2_release_notes.md
index c042901c21..bbe92fcc41 100644
--- a/_includes/manuals/nightly/1.2_release_notes.md
+++ b/_includes/manuals/nightly/1.2_release_notes.md
@@ -6,6 +6,16 @@ This section will be updated prior to the next release.
### Upgrade warnings
+#### `ct_command` and `fcct_command` settings replaced with `(fc)ct_location` and `(fc)ct_arguments`
+
+To fix [CVE-2022-3874](/security.html#2022-3874) the settings for the CoreOS and Fedora CoreOS
+transpiler commands were changed to individual settings for the location of the binary and the
+arguments passed to it.
+During the upgrade the location of the binaries will be automatically changed to `/usr/bin/ct`
+and `/usr/bin/fcct`. Setting the binary location to any other path requires changes to
+`settings.yaml`, as different locations are forbidden by default.
+The arguments are automatically migrated from the old settings to the new ones.
+
### Deprecations
### Release Notes
diff --git a/security.md b/security.md
index c20ddf1a00..2bdf352866 100644
--- a/security.md
+++ b/security.md
@@ -15,6 +15,7 @@ The policy of the project is to treat all newly reported issues as private, and
All security advisories made for Foreman are listed below with their corresponding [CVE identifier](https://cve.mitre.org/).
+* [CVE-2022-3874: OS command injection via ct_command and fcct_command](security.html#2022-3874)
* [CVE-2021-3584: Remote code execution through Sendmail configuration](security.html#2021-3584)
* [CVE-2021-20256: BMC controller credential leak via API](security.html#2021-20256)
* [CVE-2021-20259: Proxmox compute resource password leak](security.html#2021-20259)
@@ -87,6 +88,16 @@ All security advisories made for Foreman are listed below with their correspondi
### Disclosure details
+#### CVE-2022-3874: OS command injection via ct_command and fcct_command
+
+`ct_command` and `fcct_command` settings, available via Administer - Settings, both accept arbitrary
+strings as the command name and calling CoreOS templates will execute those commands as the user Foreman runs under.
+By default, only Foreman super administrator can access settings.
+
+* Affects Foreman 3.2.0 and higher
+* Fix released in Foreman 3.8.0
+* Redmine issue [#36759](https://projects.theforeman.org/issues/36759)
+
#### CVE-2021-3584: Remote code execution through Sendmail configuration
Sendmail location and arguments, available via Administer - Settings, both accept arbitrary strings and pass them into shell.