diff --git a/cpp/ql/lib/change-notes/2026-05-15-hasSocketInput-for-fscanf.md b/cpp/ql/lib/change-notes/2026-05-15-hasSocketInput-for-fscanf.md
new file mode 100644
index 000000000000..842d52dd8bfd
--- /dev/null
+++ b/cpp/ql/lib/change-notes/2026-05-15-hasSocketInput-for-fscanf.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
\ No newline at end of file
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll
index fbef5a8fcac5..f1b3edbe3370 100644
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll
@@ -87,6 +87,10 @@ private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction i
     output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
     description = "value read by " + this.getName()
   }
+
+  override predicate hasSocketInput(FunctionInput input) {
+    input.isParameterDeref(super.getInputParameterIndex())
+  }
 }
 
 /**
diff --git a/cpp/ql/src/change-notes/2026-05-15-cleartext-transmission-fp.md b/cpp/ql/src/change-notes/2026-05-15-cleartext-transmission-fp.md
new file mode 100644
index 000000000000..6fcb3e1c88b2
--- /dev/null
+++ b/cpp/ql/src/change-notes/2026-05-15-cleartext-transmission-fp.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
\ No newline at end of file
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
index f4bfe5ca3405..35700d229e75 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
@@ -577,3 +577,10 @@ void tests3()
 	str = get_home_address();
 	send(val(), str, strlen(str), val()); // BAD
 }
+
+int fscanf(FILE* stream, const char* format, ... );
+
+void test_scanf() {
+	char password[256];
+	fscanf(stdin, "%255s", password); // GOOD: this is not a remote source
+}
\ No newline at end of file