diff --git a/app/helpers/camaleon_cms/uploader_helper.rb b/app/helpers/camaleon_cms/uploader_helper.rb
index 8f82b190..9a8453b6 100644
--- a/app/helpers/camaleon_cms/uploader_helper.rb
+++ b/app/helpers/camaleon_cms/uploader_helper.rb
@@ -58,6 +58,9 @@ def upload_file(uploaded_io, settings = {})
       hooks_run('before_upload', settings)
       res = { error: nil }
 
+      # guard against path traversal
+      return { error: 'Invalid file path' } unless cama_uploader.class.valid_folder_path?(settings[:folder])
+
       # formats validations
       return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format(
         uploaded_io.path, settings[:formats]
diff --git a/app/uploaders/camaleon_cms_uploader.rb b/app/uploaders/camaleon_cms_uploader.rb
index 7e2c7492..05399356 100644
--- a/app/uploaders/camaleon_cms_uploader.rb
+++ b/app/uploaders/camaleon_cms_uploader.rb
@@ -125,6 +125,12 @@ def self.validate_file_format(key, valid_formats = '*')
     valid_formats.include?(File.extname(key).sub('.', '').split('?').first.try(:downcase))
   end
 
+  def self.valid_folder_path?(path)
+    return false if path.include?("..") || File.absolute_path?(path) || path.include?("://")
+
+    true
+  end
+
   # verify if this file name already exist
   # if the file is already exist, return a new name for this file
   # sample: search_new_key("my_file/file.txt")