diff --git a/README.md b/README.md
index b4402d7..6162f90 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,14 @@ console.log("Explorer mounted at localhost:" + port + "/explorer");
 app.listen(port);
 ```
 
+## swagger-ui vulnerabilities
+
+Regarding the security vulnerability on one of our dependencies `swagger-ui`: https://www.npmjs.com/advisories/985
+
+> Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript.
+
+LoopBack's API Explorer does not allow clients to import swagger spec from YAML URL/pasted-content. That means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability. For more details, see discussion in https://github.com/strongloop/loopback-component-explorer/issues/263#issuecomment-529385166. 
+
 ## Upgrading from v1.x
 
 To upgrade your application using loopback-explorer version 1.x, just replace