diff --git a/release-notes/11514.md b/release-notes/11514.md
new file mode 100644
index 0000000000..078e479e6a
--- /dev/null
+++ b/release-notes/11514.md
@@ -0,0 +1,7 @@
+- fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm
+- fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
+- fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
+- fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
+- fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
+- fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
+- fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects
diff --git a/release-notes/11515.md b/release-notes/11515.md
new file mode 100644
index 0000000000..078e479e6a
--- /dev/null
+++ b/release-notes/11515.md
@@ -0,0 +1,7 @@
+- fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm
+- fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
+- fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
+- fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
+- fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
+- fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
+- fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects