diff --git a/muranoclient/common/utils.py b/muranoclient/common/utils.py
index 63cc00cc..0b17c073 100644
--- a/muranoclient/common/utils.py
+++ b/muranoclient/common/utils.py
@@ -605,12 +605,12 @@ class Bundle(FileWrapperMixin):
             yield pkg_obj
 
 
-class YaqlYamlLoader(yaml.Loader):
+class YaqlYamlLoader(yaml.SafeLoader):
     pass
 
 # workaround for PyYAML bug: http://pyyaml.org/ticket/221
 resolvers = {}
-for k, v in yaml.Loader.yaml_implicit_resolvers.items():
+for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
     resolvers[k] = v[:]
 YaqlYamlLoader.yaml_implicit_resolvers = resolvers
 
diff --git a/muranoclient/v1/artifact_packages.py b/muranoclient/v1/artifact_packages.py
index c60b5479..7b082ab2 100644
--- a/muranoclient/v1/artifact_packages.py
+++ b/muranoclient/v1/artifact_packages.py
@@ -190,7 +190,7 @@ class ArtifactRepo(object):
         ui_stream = "".join(
             self.client.artifacts.download_blob(app_id, 'ui_definition'))
         if loader_cls is None:
-            loader_cls = yaml.Loader
+            loader_cls = yaml.SafeLoader
         return yaml.load(ui_stream, loader_cls)
 
     def get_logo(self, app_id):
diff --git a/muranoclient/v1/package_creator/hot_package.py b/muranoclient/v1/package_creator/hot_package.py
index 45e8350c..b375617f 100644
--- a/muranoclient/v1/package_creator/hot_package.py
+++ b/muranoclient/v1/package_creator/hot_package.py
@@ -43,7 +43,7 @@ def generate_manifest(args):
         args.full_name = '{0}.{1}'.format(prefix, normalized_name)
     try:
         with open(args.template, 'rb') as heat_file:
-            yaml_content = yaml.load(heat_file)
+            yaml_content = yaml.safe_load(heat_file)
             if not args.description:
                 args.description = yaml_content.get(
                     'description',
diff --git a/muranoclient/v1/packages.py b/muranoclient/v1/packages.py
index 2581794d..ce052aa5 100644
--- a/muranoclient/v1/packages.py
+++ b/muranoclient/v1/packages.py
@@ -147,7 +147,7 @@ class PackageManager(base.Manager):
 
     def get_ui(self, app_id, loader_cls=None):
         if loader_cls is None:
-            loader_cls = yaml.Loader
+            loader_cls = yaml.SafeLoader
 
         url = '/v1/catalog/packages/{0}/ui'.format(app_id)
         response = self.api.raw_request('GET', url)
diff --git a/releasenotes/notes/safeloader-cve-2016-4972-0e3b733af0d2f49d.yaml b/releasenotes/notes/safeloader-cve-2016-4972-0e3b733af0d2f49d.yaml
new file mode 100644
index 00000000..f022c5c7
--- /dev/null
+++ b/releasenotes/notes/safeloader-cve-2016-4972-0e3b733af0d2f49d.yaml
@@ -0,0 +1,9 @@
+---
+security:
+  - cve-2016-4972 has been addressed. In ceveral places
+    Murano used loaders inherited directly from yaml.Loader
+    when parsing MuranoPL and UI files from packages.
+    This is unsafe, because this loader is capable of creating
+    custom python objects from specifically constructed
+    yaml files. With this change all yaml loading operations are done
+    using safe loaders instead.