diff --git a/CHANGELOG.md b/CHANGELOG.md
index c26c599..30e1f7d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Leaflet.markercluster for automatic marker grouping at low zoom levels (#61)
 - Clustering toggle parameter in map module settings (enabled by default)
 - Junction table orphan cleanup on location/category delete (#60)
+- License key warning on install/update when no download key is configured
+- Download key (dlid) preserved across package upgrades
 
 ### Changed
 - Map module dispatcher uses aliased table queries with category JOIN
@@ -43,6 +45,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - ORDER BY injection prevention — replaced `$db->escape()` with allowlist validation
 - Map module: `$mapHeight` CSS value validated with regex pattern
 - CSP compatibility: all inline scripts use WebAssetManager for automatic nonce injection (#34)
+- XSS fix: detail map popup uses DOM textContent instead of raw string in bindPopup()
+
+### Fixed
+- SQL migration compatibility: removed `DROP COLUMN IF EXISTS` (MySQL 8.0.13+ only) in favor of plain `DROP COLUMN`
 
 ## [1.1.0] - 2026-06-23