diff --git a/python/ql/src/Security/CWE-312/CleartextLogging.qhelp b/python/ql/src/Security/CWE-312/CleartextLogging.qhelp
index 884b1dbdd4b..3244a0354d7 100644
--- a/python/ql/src/Security/CWE-312/CleartextLogging.qhelp
+++ b/python/ql/src/Security/CWE-312/CleartextLogging.qhelp
@@ -2,4 +2,33 @@
"-//Semmle//qhelp//EN"
"qhelp.dtd">
-
+
+
+
+If sensitive data is written to a log entry it could be exposed to an attacker
+who gains access to the logs.
+
+Potential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may
+expose system information such as full path names, system information, and sometimes usernames and passwords.
+
+
+
+
+Sensitive data should not be logged.
+
+
+
+
+In the example the entire process environment is logged using `print`. Regular users of the production deployed application
+should not have access to this much information about the environment configuration.
+
+
+
+ In the second example the data that is logged is not sensitive.
+
+
+
+
+OWASP: Insertion of Sensitive Information into Log File.
+
+
diff --git a/python/ql/src/Security/CWE-312/examples/CleartextLogging.py b/python/ql/src/Security/CWE-312/examples/CleartextLogging.py
new file mode 100644
index 00000000000..57733712d59
--- /dev/null
+++ b/python/ql/src/Security/CWE-312/examples/CleartextLogging.py
@@ -0,0 +1,3 @@
+# BAD: Logging cleartext sensitive data
+import os
+print(f"[INFO] Environment: {os.environ}")
\ No newline at end of file
diff --git a/python/ql/src/Security/CWE-312/examples/CleartextLoggingGood.py b/python/ql/src/Security/CWE-312/examples/CleartextLoggingGood.py
new file mode 100644
index 00000000000..853f7fe488b
--- /dev/null
+++ b/python/ql/src/Security/CWE-312/examples/CleartextLoggingGood.py
@@ -0,0 +1,3 @@
+not_sensitive_data = {'a': 1, 'b': 2}
+# GOOD: it is fine to log data that is not sensitive
+print(f"[INFO] Some object contains: {not_sensitive_data}")
\ No newline at end of file