diff --git a/SECURITY.md b/SECURITY.md
index 2552df8a3..5a6a8f41c 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,6 +2,8 @@
 
 Please disclose any security issues or vulnerabilities found through [Tidelift's coordinated disclosure system](https://tidelift.com/security) or to the maintainers privately.
 
+PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier CVE-2018-19296 object injection vulnerability as a result of [a fix for Windows UNC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9). Recorded as [CVE-2020-36326](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi Vidyan via Tidelift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes in local path contexts.
+
 PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in `Content-Type` and `Content-Disposition` when filenames passed into `addAttachment` and other methods that accept attachment names contain double quote characters, in contravention of RFC822 3.4.1. No specific vulnerability has been found relating to this, but it could allow file attachments to bypass attachment filters that are based on matching filename extensions. Recorded as [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by Elar Lang of Clarified Security.
 
 PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr.
diff --git a/VERSION b/VERSION
index c0be8a799..306894a15 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-6.4.0
\ No newline at end of file
+6.4.1
\ No newline at end of file
diff --git a/changelog.md b/changelog.md
index aa012bb86..01954d192 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,12 @@
 # PHPMailer Change Log
 
+## Version 6.4.1 (April 29th, 2021)
+* **SECURITY** Fixes CVE-2020-36326, a regression of CVE-2018-19296 object injection introduced in 6.1.8, see SECURITY.md for details
+* Reject more file paths that look like URLs, matching RFC3986 spec, blocking URLS using schemes such as `ssh2`
+* Ensure method signature consistency in `doCallback` calls
+* Ukrainian language update
+* Add composer scripts for checking coding standards and running tests
+
 ## Version 6.4.0 (March 31st, 2021)
 * Revert change that made the `mail()` and sendmail transports set the envelope sender if one isn't explicitly provided, as it causes problems described in <https://github.com/PHPMailer/PHPMailer/issues/2298>
 * Check for mbstring extension before decoding addresss in `parseAddress`
diff --git a/src/PHPMailer.php b/src/PHPMailer.php
index 66eaa3831..2d16116a8 100644
--- a/src/PHPMailer.php
+++ b/src/PHPMailer.php
@@ -748,7 +748,7 @@ class PHPMailer
      *
      * @var string
      */
-    const VERSION = '6.4.0';
+    const VERSION = '6.4.1';
 
     /**
      * Error severity: message only, continue processing.
diff --git a/src/POP3.php b/src/POP3.php
index 9bd319865..a39f4803c 100644
--- a/src/POP3.php
+++ b/src/POP3.php
@@ -46,7 +46,7 @@ class POP3
      *
      * @var string
      */
-    const VERSION = '6.4.0';
+    const VERSION = '6.4.1';
 
     /**
      * Default POP3 port number.
diff --git a/src/SMTP.php b/src/SMTP.php
index 9d85929dd..0e7f53df5 100644
--- a/src/SMTP.php
+++ b/src/SMTP.php
@@ -35,7 +35,7 @@ class SMTP
      *
      * @var string
      */
-    const VERSION = '6.4.0';
+    const VERSION = '6.4.1';
 
     /**
      * SMTP line break constant.