diff --git a/.github/workflows/release_channels.yml b/.github/workflows/release_channels.yml
index e8b4f8679..bd9e50fab 100644
--- a/.github/workflows/release_channels.yml
+++ b/.github/workflows/release_channels.yml
@@ -93,6 +93,7 @@ jobs:
       - name: Bump org.meshtastic.meshtasticd.metainfo.xml
         shell: bash
         run: |
+          pip install defusedxml -q
           chmod +x ./bin/bump_metainfo.py
           ./bin/bump_metainfo.py --file bin/org.meshtastic.meshtasticd.metainfo.xml "v${{ steps.version.outputs.long }}"
 
diff --git a/bin/bump_metainfo.py b/bin/bump_metainfo.py
index cc264eafd..7b0b5bbfe 100755
--- a/bin/bump_metainfo.py
+++ b/bin/bump_metainfo.py
@@ -1,7 +1,8 @@
 #!/usr/bin/env python3
-import xml.etree.ElementTree as ET
-from datetime import datetime, timezone
 import argparse
+import xml.etree.ElementTree as ET
+from defusedxml.ElementTree import parse
+from datetime import datetime, timezone
 
 
 def indent(elem, level=0):
@@ -28,7 +29,7 @@ def main():
 
     args = parser.parse_args()
 
-    tree = ET.parse(args.file)
+    tree = parse(args.file)
     root = tree.getroot()
 
     releases = root.find('releases')