diff --git a/javascript/ql/src/change-notes/2025-11-26-response-default-content-type.md b/javascript/ql/src/change-notes/2025-11-26-response-default-content-type.md
new file mode 100644
index 00000000000..d7b5116fe1e
--- /dev/null
+++ b/javascript/ql/src/change-notes/2025-11-26-response-default-content-type.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* `new Response(x)` is not longer seen as a reflected XSS sink when no`content-type` header
+  is set, since the content type defaults to `text/plain`.