diff --git a/java/ql/lib/change-notes/2023-05-17-change-hostnamesanitizingprefix-regex.md b/java/ql/lib/change-notes/2023-05-17-change-hostnamesanitizingprefix-regex.md
new file mode 100644
index 00000000000..8d81c97d9e3
--- /dev/null
+++ b/java/ql/lib/change-notes/2023-05-17-change-hostnamesanitizingprefix-regex.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Updated the regular expression in the `HostnameSanitizer` sanitizer in the `semmle.code.java.security.RequestForgery` library to better detect strings prefixed with a hostname.
+