diff --git a/crates/hexchat/RUSTSEC-0000-0000.md b/crates/hexchat/RUSTSEC-0000-0000.md
new file mode 100644
index 000000000..f00ef11f3
--- /dev/null
+++ b/crates/hexchat/RUSTSEC-0000-0000.md
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hexchat"
+date = "2025-11-17"
+url = "https://github.com/pie-flavor/hexchat-rs/issues/3"
+categories = ["memory-corruption", "memory-exposure"]
+keywords = ["memory-safety"]
+informational = "unsound"
+
+[versions]
+patched = []
+```
+
+# hexchat crate is unsound and unmaintained
+
+All versions of this crate have function `deregister_command` which can result in use after free.
+This is unsound.
+
+In addition, all versions since 0.3.0 have "safe" macros, which are documented as unsafe to use in threads.
+
+In addition, the `hexchat` crate is no longer actively maintained.  If you rely on this crate, consider switching to a recommended alternative.
+
+## Recommended alternatives
+
+- [`hexavalent`](https://crates.io/crates/hexavalent)
\ No newline at end of file