diff --git a/src/core.c b/src/core.c
index 1f4707c8..88b41935 100644
--- a/src/core.c
+++ b/src/core.c
@@ -1820,6 +1820,12 @@ int StorageLoadValue(int position)
 }
 
 // Open URL with default system browser (if available)
+// Note:
+// This function is onlyl safe to use if you control the URL given.
+// A user could craft a malicious string performing another action.
+// Only call this function yourself not with user input or make sure to check the
+// string yourself.
+// See https://github.com/raysan5/raylib/issues/686
 void OpenURL(const char *url)
 {
     char *cmd = calloc(strlen(url) + 10, sizeof(char));