diff --git a/ChangeLog b/ChangeLog
index 98e81908..204249c4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,21 +1,44 @@
+Version 2.0.44 (May 6, 2023)
+----------------------------
+
+* Add link to the URL rewrite rules documentation
+* Update scraping rules for `ilpost.it`
+* Update rewrite rules for `theverge.com`
+* Add a rewrite rule to remove clickbait titles
+* Make sure `PROXY_IMAGES` option is backward compatible with `PROXY_OPTION` and `PROXY_MEDIA_TYPES`
+* Add new rule to remove tables
+* Add support for searching well-known URLs in subdirectory
+* Add CSS `word-wrap` rule to break very long entry title into multiple lines
+* Add swipe as option for gesture navigation between entries. There are now 3 possible choices: `none`, `double-tap`, and `swipe`.
+* Prefer typographic punctuation in English translation
+* Process older entries first:
+ - Feed entries are usually ordered from most to least recent.
+ - Processing older entries first ensures that their creation timestamp
+ is lower than that of newer entries.
+ - This is useful when we order by creation, because then we get a
+ consistent timeline.
+* Fix Grafana dashboard
+* Push Docker images to `Quay.io` (RedHat)
+* Bump `golang.org/x/*`, `github.com/lib/pq`, `mvdan.cc/xurls/v2` and `github.com/prometheus/client_golang` dependencies
+
Version 2.0.43 (March 16, 2023)
-------------------------------
* Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592)
-
+
Creating an RSS feed item with the inline description containing an `` tag
with a `srcset` attribute pointing to an invalid URL like
`http:a`, we can coerce the proxy handler into an error
condition where the invalid URL is returned unescaped and in full.
-
+
This results in JavaScript execution on the Miniflux instance as soon as the
user is convinced to open the broken image.
* Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591)
-
+
HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As
such, it cannot be used to test if the client IP is allowed.
-
+
The recommendation is to use HTTP Basic authentication to protect the
metrics endpoint, or run Miniflux behind a trusted reverse-proxy.