diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a7e0a98..c56b8837 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com), and this
 * *Nothing*
 
 
+## [2.9.3] - 2021-11-15
+### Added
+* *Nothing*
+
+### Changed
+* *Nothing*
+
+### Deprecated
+* *Nothing*
+
+### Removed
+* *Nothing*
+
+### Fixed
+* [#1232](https://github.com/shlinkio/shlink/issues/1232) Solved potential SQL injection by enforcing `doctrine/dbal` 3.1.4.
+
+
 ## [2.9.2] - 2021-10-23
 ### Added
 * *Nothing*
diff --git a/composer.json b/composer.json
index 7abcf315..d520f6fb 100644
--- a/composer.json
+++ b/composer.json
@@ -18,7 +18,8 @@
         "akrabat/ip-address-middleware": "^2.0",
         "cakephp/chronos": "^2.2",
         "cocur/slugify": "^4.0",
-        "doctrine/migrations": "^3.3",
+        "doctrine/dbal": "^3.1.4",
+        "doctrine/migrations": "^3.3 <3.3.2",
         "doctrine/orm": "^2.9",
         "endroid/qr-code": "^4.2",
         "geoip2/geoip2": "^2.11",