diff --git a/apache-log4j/TODO b/apache-log4j/TODO
index 0b3c60bb9d..44ab4d6712 100644
--- a/apache-log4j/TODO
+++ b/apache-log4j/TODO
@@ -1,2 +1,2 @@
 This package has known vulnerabilities, please investigate and fix if possible:
-  CVE-2019-17571
+  CVE-2019-17571, CVE-2020-9488