diff --git a/CHANGELOG.md b/CHANGELOG.md
index 77850283e..e92076dc6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 - Fix a bug: wrong reservations count for spaces in availabilities export (#415)
 - Fix a security issue: updated express to 4.18.2 to fix [CVE-2022-24999](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24999)
 - Fix a security issue: updated @claviska/jquery-minicolors to 2.3.6 to fix [CVE-2021-4243](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4243)
+- Fix a security issue: updated loofah to 2.19.1 to fix [CVE-2022-23514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23514), [CVE-2022-23515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23515) and [CVE-2022-23516](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23516)
 
 ## v5.5.7 2022 December 13
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 941a6a7ec..7ee3a63a4 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -207,7 +207,7 @@ GEM
     listen (3.0.8)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
-    loofah (2.18.0)
+    loofah (2.19.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)