diff --git a/muranodashboard/api/packages.py b/muranodashboard/api/packages.py
index 30555b080..aea778678 100644
--- a/muranodashboard/api/packages.py
+++ b/muranodashboard/api/packages.py
@@ -71,7 +71,7 @@ def app_by_fqn(request, fqn, catalog=True):
 
 
 def make_loader_cls():
-    class Loader(yaml.Loader):
+    class Loader(yaml.SafeLoader):
         pass
 
     def yaql_constructor(loader, node):
@@ -80,7 +80,7 @@ def make_loader_cls():
 
     # workaround for PyYAML bug: http://pyyaml.org/ticket/221
     resolvers = {}
-    for k, v in yaml.Loader.yaml_implicit_resolvers.items():
+    for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
         resolvers[k] = v[:]
     Loader.yaml_implicit_resolvers = resolvers
 
diff --git a/releasenotes/notes/safeloader-cve-2016-4972-82523879a6c3b1a5.yaml b/releasenotes/notes/safeloader-cve-2016-4972-82523879a6c3b1a5.yaml
new file mode 100644
index 000000000..f022c5c7e
--- /dev/null
+++ b/releasenotes/notes/safeloader-cve-2016-4972-82523879a6c3b1a5.yaml
@@ -0,0 +1,9 @@
+---
+security:
+  - cve-2016-4972 has been addressed. In ceveral places
+    Murano used loaders inherited directly from yaml.Loader
+    when parsing MuranoPL and UI files from packages.
+    This is unsafe, because this loader is capable of creating
+    custom python objects from specifically constructed
+    yaml files. With this change all yaml loading operations are done
+    using safe loaders instead.