diff --git a/src/pretix/base/exporters/orderlist.py b/src/pretix/base/exporters/orderlist.py
index 9dad300b5c..e7a8e43c07 100644
--- a/src/pretix/base/exporters/orderlist.py
+++ b/src/pretix/base/exporters/orderlist.py
@@ -1,9 +1,9 @@
-import csv
 import io
 from collections import OrderedDict
 from decimal import Decimal
 
 import pytz
+from defusedcsv import csv
 from django import forms
 from django.db.models import Sum
 from django.dispatch import receiver
diff --git a/src/pretix/control/views/vouchers.py b/src/pretix/control/views/vouchers.py
index f0b046343b..26f3cb187c 100644
--- a/src/pretix/control/views/vouchers.py
+++ b/src/pretix/control/views/vouchers.py
@@ -1,6 +1,6 @@
-import csv
 import io
 
+from defusedcsv import csv
 from django.conf import settings
 from django.contrib import messages
 from django.core.urlresolvers import resolve, reverse
diff --git a/src/pretix/plugins/checkinlists/exporters.py b/src/pretix/plugins/checkinlists/exporters.py
index 77966dcbd8..d403c728f0 100644
--- a/src/pretix/plugins/checkinlists/exporters.py
+++ b/src/pretix/plugins/checkinlists/exporters.py
@@ -1,7 +1,7 @@
-import csv
 import io
 from collections import OrderedDict
 
+from defusedcsv import csv
 from django import forms
 from django.db.models.functions import Coalesce
 from django.utils.translation import ugettext as _, ugettext_lazy
diff --git a/src/requirements/production.txt b/src/requirements/production.txt
index a860d1ac12..483daf396f 100644
--- a/src/requirements/production.txt
+++ b/src/requirements/production.txt
@@ -39,3 +39,4 @@ chardet<3.1.0,>=3.0.2
 mt-940==3.2
 vobject==0.9.*
 pycountry
+defusedcsv>=1.0.1
diff --git a/src/setup.py b/src/setup.py
index 8d27090286..d557709376 100644
--- a/src/setup.py
+++ b/src/setup.py
@@ -100,7 +100,8 @@ setup(
         'mt-940==4.7',
         'django-i18nfield>=1.0.1',
         'vobject==0.9.*',
-        'pycountry'
+        'pycountry',
+        'defusedcsv'
     ],
     extras_require={
         'dev': [