diff --git a/apps/server/src/integrations/import/utils/file.utils.ts b/apps/server/src/integrations/import/utils/file.utils.ts
index b3d39cda..0b27554b 100644
--- a/apps/server/src/integrations/import/utils/file.utils.ts
+++ b/apps/server/src/integrations/import/utils/file.utils.ts
@@ -103,6 +103,14 @@ function extractZipInternal(
         zipfile.on('entry', (entry) => {
           const name = entry.fileName.toString('utf8');
           const safe = name.replace(/^\/+/, '');
+
+          const validationError = yauzl.validateFileName(safe);
+          if (validationError) {
+            console.warn(`Skipping invalid entry (${validationError})`);
+            zipfile.readEntry();
+            return;
+          }
+
           if (safe.startsWith('__MACOSX/')) {
             zipfile.readEntry();
             return;
@@ -110,6 +118,15 @@ function extractZipInternal(
 
           const fullPath = path.join(target, safe);
 
+          const resolved = path.resolve(fullPath);
+          const targetResolved = path.resolve(target);
+
+          if (!resolved.startsWith(targetResolved + path.sep)) {
+            console.warn(`Skipping entry (path outside target): ${safe}`);
+            zipfile.readEntry();
+            return;
+          }
+
           // Handle directories
           if (/\/$/.test(name)) {
             try {