diff --git a/bwrap.xml b/bwrap.xml
index cf73abc4..7eac3e95 100644
--- a/bwrap.xml
+++ b/bwrap.xml
@@ -463,7 +463,9 @@
         </para><para>
         Note: In a general sandbox, if you don't use --new-session, it is
         recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise
-        the application can feed keyboard input to the terminal.
+        the application can feed keyboard input to the terminal
+        which can e.g. lead to out-of-sandbox command execution
+        (see CVE-2017-5226).
       </para></listitem>
     </varlistentry>
     <varlistentry>