diff --git a/setup.py b/setup.py
index 3e585b6b..a6f7844c 100644
--- a/setup.py
+++ b/setup.py
@@ -17,6 +17,7 @@ EXTRAS_REQUIRE = {
     'qrcode': ['qrcode'],
     'sound;platform_system=="Windows"': ['winsound'],
     'tor': ['stem'],
+    'xml': ['defusedxml'],
     'docs': ['sphinx', 'sphinxcontrib-apidoc', 'm2r']
 }
 
diff --git a/src/api.py b/src/api.py
index 7c498dd1..0a38a7d6 100644
--- a/src/api.py
+++ b/src/api.py
@@ -17,10 +17,10 @@ import random  # nosec
 import socket
 import subprocess
 import time
+import xmlrpclib
 from binascii import hexlify, unhexlify
 from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
 from struct import pack
-import xmlrpclib
 
 import defaults
 import helper_inbox
@@ -46,6 +46,14 @@ from inventory import Inventory
 from network.threads import StoppableThread
 from version import softwareVersion
 
+try:  # TODO: write tests for XML vulnerabilities
+    from defusedxml.xmlrpc import monkey_patch
+except ImportError:
+    logger.warning(
+        'defusedxml not available, only use API on a secure, closed network.')
+else:
+    monkey_patch()
+
 str_chan = '[chan]'
 str_broadcast_subscribers = '[Broadcast subscribers]'