diff --git a/locale/en/dictionaries/people.txt b/locale/en/dictionaries/people.txt
index 58df44beb8..0f7f84bdcb 100644
--- a/locale/en/dictionaries/people.txt
+++ b/locale/en/dictionaries/people.txt
@@ -11,3 +11,4 @@ Naur
 Wärting
 Aadit
 Kilby
+Kahmen
diff --git a/website/docs/security/cves/CVE-2026-42849.md b/website/docs/security/cves/CVE-2026-42849.md
new file mode 100644
index 0000000000..2cdae1d7bb
--- /dev/null
+++ b/website/docs/security/cves/CVE-2026-42849.md
@@ -0,0 +1,27 @@
+# CVE-2026-42849
+
+_Reported by Jan Kahmen, [turingpoint GmbH](https://turingpoint.de/en/)_
+
+## Reflected XSS in SFE
+
+### Summary
+
+Due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage.
+
+### Patches
+
+authentik 2025.12.5 and 2026.2.3 fix this issue.
+
+### Impact
+
+The SFE (Simple Flow Executor) was susceptible to an XSS exploit. This could allow an attacker to redirect web requests containing tokens, hijack the session or take other malicious actions.
+
+This is possible when an OAuth2 provider is configured, either through the redirect_uri when a very broad regex is used, or through the state value.
+
+The SFE previously used jQuery without explicit sanitization, which, compared to the rest of our interfaces, did not sufficiently protect from malicious input values.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).