diff --git a/lnt/lnttool/admin.py b/lnt/lnttool/admin.py
--- a/lnt/lnttool/admin.py
+++ b/lnt/lnttool/admin.py
@@ -50,7 +50,7 @@
 
     def _try_load_config(self, filename):
         try:
-            config = yaml.load(open(filename))
+            config = yaml.safe_load(open(filename))
             for key, value in config.items():
                 self._set(key, value)
         except IOError as e:
diff --git a/lnt/server/db/v4db.py b/lnt/server/db/v4db.py
--- a/lnt/server/db/v4db.py
+++ b/lnt/server/db/v4db.py
@@ -19,7 +19,7 @@
     def _load_schema_file(self, schema_file):
         session = self.make_session(expire_on_commit=False)
         with open(schema_file) as schema_fd:
-            data = yaml.load(schema_fd)
+            data = yaml.safe_load(schema_fd)
         suite = testsuite.TestSuite.from_json(data)
         testsuite.check_testsuite_schema_changes(session, suite)
         suite = testsuite.sync_testsuite_with_metatables(session, suite)
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -130,7 +130,7 @@
         "Flask-WTF==0.12",
         "typing",
         "click==6.7",
-        "pyyaml==3.13",
+        "pyyaml==5.1.2",
         "requests",
         "future",
         "lit==0.11.1",
diff --git a/tests/server/ui/test_api.py b/tests/server/ui/test_api.py
--- a/tests/server/ui/test_api.py
+++ b/tests/server/ui/test_api.py
@@ -278,7 +278,7 @@
 
         # The reported schema should be the same as the yaml one on the top.
         with open('%s/schemas/nts.yaml' % self.instance_path) as syaml:
-            yaml_schema = yaml.load(syaml)
+            yaml_schema = yaml.safe_load(syaml)
             # Do some massaging to make it similar to the rest API result.
             for m in yaml_schema['metrics']:
                 if 'unit' not in m: