diff --git a/crates/xcb/RUSTSEC-0000-0000.md b/crates/xcb/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000000..6c7885334e
--- /dev/null
+++ b/crates/xcb/RUSTSEC-0000-0000.md
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "xcb"
+date = "2025-08-05"
+url = "https://github.com/rust-x-bindings/rust-xcb/issues/282"
+references = ["https://github.com/rust-x-bindings/rust-xcb/issues/167"]
+informational = "unsound"
+
+[versions]
+patched = []
+
+[affected.functions]
+"xcb::Connection::connect_to_fd" = [">= 1.0.0-beta.0"]
+"xcb::Connection::connect_to_fd_with_extensions" = [">= 1.0.0-beta.0"]
+```
+
+# Unsoundness in `xcb::Connection::connect_to_fd*` functions
+
+The API of `xcb::Connection` has constructors which allow an arbitrary `RawFd`
+to be used as a socket connection. On either failure of these constructors or
+on the drop of `Connection`, it closes the associated file descriptor. Thus, a
+program which uses an `OwnedFd` (such as a `UnixStream`) as the file descriptor
+can close the file descriptor and continue to attempt using it or close an
+already-closed file descriptor.
+
+The functions not being safe was previously documented, although with no
+specifics (https://github.com/rust-x-bindings/rust-xcb/issues/167). No action
+was taken.