diff --git a/doc/POST_UPGRADE.d/1.2.8.md b/doc/POST_UPGRADE.d/1.2.8.md
new file mode 100644
index 0000000..1041730
--- /dev/null
+++ b/doc/POST_UPGRADE.d/1.2.8.md
@@ -0,0 +1,7 @@
+[Borg pre-version 1.2.5 had CVE in archive format](https://github.com/borgbackup/borg/blob/1.2.8/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811). One liner to check if you're affected is:
+
+```sh
+sudo env BORG_RSH="ssh -i /root/.ssh/id___APP___ed25519 -oStrictHostKeyChecking=yes " BORG_PASSPHRASE="$(sudo yunohost app setting __APP__ passphrase)" BORG_RELOCATED_REPO_ACCESS_IS_OK=yes BORG_REPO="$(sudo yunohost app setting __APP__ repository)" __INSTALL_DIR__/venv/bin/borg upgrade --show-rc --check-tam $BORG_REPO
+```
+
+Consult the linked documentation on how to interpret the result.