diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8620bc099..db78844bb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,17 +1,18 @@
 # Changelog Fab Manager
 
 ## next release
-- Updated Omniauth to fix Hashie warnings [omniauth#872](https://github.com/omniauth/omniauth/issues/872)
+- Updated OmniAuth to fix Hashie warnings [omniauth#872](https://github.com/omniauth/omniauth/issues/872)
+- Fix a security issue: dependency loofah has a vulnerability as described in [CVE-2018-8048](https://github.com/flavorjones/loofah/issues/144)
 
 ## v2.6.4 2018 March 15
 
 - Ability to share trainings on social medias
 - Fix a bug: a reminder notification were sent for canceled reservations
 - Fix a bug: sharing an event on facebook has HTML tags in the description
-- fix stripe api version, all fabmanagers has to use this version because codebase relies on it
-- updates omniauth to ~> 1.3.2 (security vulnerability)
-- updates rack-protection to 1.5.5 (security vulnerability) see [this link](https://github.com/sinatra/sinatra/issues/1408) and [this link](https://github.com/sinatra/rack-protection/pull/122)
-- updates twitter gem in order to get rid of security warning from gem "http"
+- Set Stripe API version, all fab-managers has to use this version because codebase relies on it
+- Fix a security issue: OmniAuth < 1.3.2  has a security vulnerability described in [CVE-2017-18076](https://nvd.nist.gov/vuln/detail/CVE-2017-18076)
+- Fix a security issue: rack-protection < 1.5.5 has a security vulnerability described in [CVE-2018-1000119](https://nvd.nist.gov/vuln/detail/CVE-2018-1000119)
+- Fix a security issue: http gem < 0.7.3 has a security vulnerability described in [CVE-2015-1828](https://nvd.nist.gov/vuln/detail/CVE-2015-1828), updates twitter gem as a dependency 
 
 ## v2.6.3 2018 January 2
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 2bda29167..3004de007 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -136,7 +136,7 @@ GEM
       tins (>= 1.6.0, < 2)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
-    crass (1.0.2)
+    crass (1.0.3)
     daemons (1.2.4)
     database_cleaner (1.4.1)
     debug_inspector (0.0.3)
@@ -234,7 +234,7 @@ GEM
       activesupport (>= 3.0.0)
     kgio (2.9.3)
     libv8 (3.16.14.11)
-    loofah (2.1.1)
+    loofah (2.2.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.0)
@@ -274,7 +274,7 @@ GEM
     net-ssh-gateway (1.2.0)
       net-ssh (>= 2.6.5)
     netrc (0.10.3)
-    nokogiri (1.8.1)
+    nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
     notify_with (0.0.2)
       jbuilder (~> 2.0)