diff --git a/WHATSNEW.md b/WHATSNEW.md
index 9bbfbbb64682f294d5e07e842916fcbecbb20173..ee6bafb1b9c045b6e2200ab94db445befc0b460c 100644
--- a/WHATSNEW.md
+++ b/WHATSNEW.md
@@ -1,19 +1,32 @@
+osTicket v1.10.2
+================
+### Performance and Security
+* Prevent Account Takeover (be0133b)
+* Prevent Agent Directory XSS (36651b9)
+* Httponly Cookies (5b2dfce)
+* File Upload Bypass (3eb1614)
+* Only allow image attachments to be opened in the browser window (4c79ff8)
+* Fix randNumber() (5b8b95a)
+* CSRF in users.inc.php URL (285a292)
+* AJAX Reflected XSS (e919d8a)
+
+
 osTicket v1.10.1
 ================
 ### Enhancements
-- Users: Support search by phone number
-- i18n: Fix getPrimaryLanguage() on non-object (#3799)
-- Add TimezoneField (#3786)
-- Chunk long text body (#3757, 7b68c994)
-- Spyc: convert hex strings to INTs under PHP 7 (#3621)
-- forms: Proper Field Deletion
-- Move orphaned tasks on department deletion to the default department (42e2c55a)
-- List: Save List Item Abbreviation (8513f137)
+* Users: Support search by phone number
+* i18n: Fix getPrimaryLanguage() on non-object (#3799)
+* Add TimezoneField (#3786)
+* Chunk long text body (#3757, 7b68c994)
+* Spyc: convert hex strings to INTs under PHP 7 (#3621)
+* forms: Proper Field Deletion
+* Move orphaned tasks on department deletion to the default department (42e2c55a)
+* List: Save List Item Abbreviation (8513f137)
 
 ### Performance and Security
-- XSS: Encode html entities of advanced search title (#3919)
-- XSS: Encode html entities of cached form data (#3960, bcd58e8)
-- ORM: Addresses an SQL injection vulnerability in ORM lookup function (#3959, 1eaa6910)
+* XSS: Encode html entities of advanced search title (#3919)
+* XSS: Encode html entities of cached form data (#3960, bcd58e8)
+* ORM: Addresses an SQL injection vulnerability in ORM lookup function (#3959, 1eaa6910)
 
 
 osTicket v1.10