diff --git a/java-xmlrpc/TODO b/java-xmlrpc/TODO
new file mode 100644
index 0000000000..aa6841665a
--- /dev/null
+++ b/java-xmlrpc/TODO
@@ -0,0 +1,2 @@
+This package has known vulnerabilities, please investigate and fix if possible:
+  CVE-2019-17570