diff --git a/cellar-tags/tags_security.md b/cellar-tags/tags_security.md
index 06c0b784..723e0711 100644
--- a/cellar-tags/tags_security.md
+++ b/cellar-tags/tags_security.md
@@ -6,7 +6,7 @@ Tag values can be either `TagString` or `TagBinary` blobs. In both cases issues
 
 Most of the time strings are kept as-is and don't pose a security issue, apart from invalid UTF-8 values.
 Implementations **MUST** validate `TagString` inputs for UTF-8 correctness and
-reasonable length before use, in accordance with the security considerations in [@!RFC3629, section 10].
+reasonable length before use, in accordance with the security considerations in [@!RFC3629, section 10] and [@!RFC9839, section 7].
 
 String tags that are parsed (such as "REPLAYGAIN_GAIN" or "REPLAYGAIN_PEAK" defined in (#technical-information)),
 string tags following the TagString formatting rules (#tagstring-formatting), or string tags following other strict formats like URLs,