diff --git a/CHANGES.md b/CHANGES.md
index af5a9bafb8a5c3238ca0ee40e0c20c029744d402..696f6bc6cce9b2b11db7c786dc3a0efaf99e8bdf 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -4,7 +4,7 @@ Synapse 1.21.2 (2020-10-15)
 Security advisory
 -----------------
 
-* HTML pages served via Synapse were vulernable to cross-site scripting (XSS)
+* HTML pages served via Synapse were vulnerable to cross-site scripting (XSS)
   attacks. All server administrators are encouraged to upgrade.
   ([34ff8da8](https://github.com/matrix-org/synapse/commit/34ff8da83b54024289f515c6d73e6b486574d699))
   ([CVE-2020-26891](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26891))