diff --git a/data/insecure_full.json b/data/insecure_full.json
index f2a1ff799..adb749994 100644
--- a/data/insecure_full.json
+++ b/data/insecure_full.json
@@ -2209,6 +2209,12 @@
             "v": "<3.1.0.8"
         }
     ],
+    "pando": [
+        {
+            "changelog": "-------------------------------------------\n\n* fix two security bugs related to CRLF injection\n  https://github.com/gratipay/security-qf35us/issues/1\n\n* remove argv-based configuration; Website now takes kwargs instead (455)\n\n* remove exec-based configuration, i.e., configure-aspen.py (373); use kwargs\n  to Website or environment variables instead\n\n* add a base_url configuration setting and use it in a new algorithm\n  function, redirect_to_base_url (457)\n\n* improve the redirect API: it's now at website.redirect instead of\n  request.redirect; it honors the new website.base_url; and it takes an \n  optional response object (458)\n\n\n",
+            "v": "<0.39"
+        }
+    ],
     "pastescript": [
         {
             "cve": "CVE-2012-0878",