diff --git a/poetry.lock b/poetry.lock
index 5906f03..c2754ec 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand.
 
 [[package]]
 name = "certifi"
@@ -220,6 +220,17 @@ files = [
 [package.extras]
 toml = ["tomli"]
 
+[[package]]
+name = "defusedxml"
+version = "0.7.1"
+description = "XML bomb protection for Python stdlib modules"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
+files = [
+    {file = "defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61"},
+    {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"},
+]
+
 [[package]]
 name = "exceptiongroup"
 version = "1.2.2"
@@ -412,4 +423,4 @@ zstd = ["zstandard (>=0.18.0)"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.8,<3.14"
-content-hash = "370c5c5f94f6000e0fdb76190a3aabd5acadf804802ca70dba41787d306799b4"
+content-hash = "9688fe60ffcd776c6ed6da0a9cedf875f97aefcd72fdc817495978b68afc381b"
diff --git a/pyproject.toml b/pyproject.toml
index ad6de10..ed73331 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -49,6 +49,7 @@ precommit.shell = "poe format && poe lint && poe coverage"
 [tool.poetry.dependencies]
 python = ">=3.8,<3.14"
 requests = "*"
+defusedxml = "^0.7.1"
 
 [tool.poetry.group.test]
 optional = true
diff --git a/youtube_transcript_api/_transcripts.py b/youtube_transcript_api/_transcripts.py
index f93f717..0c42258 100644
--- a/youtube_transcript_api/_transcripts.py
+++ b/youtube_transcript_api/_transcripts.py
@@ -8,7 +8,7 @@
 
 import json
 
-from xml.etree import ElementTree
+from defusedxml import ElementTree
 
 import re