diff --git a/CHANGELOG b/CHANGELOG
index ce9044669..f70082fb4 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -71,6 +71,10 @@ o [Ncat][GH#2167][GH#2168] Ncat is now again generating certificates
   with the duration of one year. Due to a bug, recent versions of Ncat were
   using only one minute. [Tobias Girstmair]
 
+o [NSE][GH#2281] URL/percent-encoding is now using uppercase hex digits
+  to align with RFC 3986, section 2.1, and to improve compatibility with some
+  real-world web servers. [nnposter]
+
 o [NSE][GH#2174] Script hostmap-crtsh got improved in several ways. The most
   visible are that certificate SANs are properly split apart and that
   identities that are syntactically incorrect to be hostnames are now ignored.
diff --git a/nselib/url.lua b/nselib/url.lua
index 737a1ea29..e066a5f10 100644
--- a/nselib/url.lua
+++ b/nselib/url.lua
@@ -58,7 +58,7 @@ local function make_set(t)
 end
 
 local function hex_esc (c)
-  return string.format("%%%02x", string.byte(c))
+  return string.format("%%%02X", string.byte(c))
 end
 
 -- these are allowed within a path segment, along with alphanum