diff --git a/CHANGELOG b/CHANGELOG
index a2667447c..b6d759031 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -200,6 +200,7 @@
 - fix potential clickjacking attack with manipulated email address of a user
 - loading more items on ViewFolder page obeys sort order
 - fix possible csrf attacks due to missing form token
+  (CVE-2021–26215, CVE-2021–26216)
 - show an error msg on the documents detail page if the checksum of version
   mismatch
 - overhaul notifications, type of receiver is now passed to notification
diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index 51bda6f89..319504435 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -120,7 +120,7 @@ class SeedDMS_Bootstrap_Style extends SeedDMS_View_Common {
 		echo '<script type="text/javascript" src="../views/'.$this->theme.'/vendors/noty/themes/default.js"></script>'."\n";
 		echo '<script type="text/javascript" src="../styles/'.$this->theme.'/jqtree/tree.jquery.js"></script>'."\n";
 //		echo '<script type="text/javascript" src="../styles/'.$this->theme.'/jquery-cookie/jquery.cookie.js"></script>'."\n";
-		if($this->extraheader['favicon'])
+		if(!empty($this->extraheader['favicon']))
 			echo $this->extraheader['favicon'];
 		else {
 			echo '<link rel="icon" href="../views/'.$this->theme.'/images/favicon.svg" type="image/svg+xml"/>'."\n";