diff --git a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
index 6581e956c93..22602c23482 100644
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
@@ -3,6 +3,7 @@
  * @description Using RSA encryption without OAEP padding can lead to a padding oracle attack, weakening the encryption.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 7.5
  * @precision high
  * @id java/rsa-without-oaep
  * @tags security
diff --git a/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md b/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md
new file mode 100644
index 00000000000..06d71cbf865
--- /dev/null
+++ b/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* A new query "Use of RSA algorithm without OAEP" (`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.
\ No newline at end of file