diff --git a/apps/dokploy/utils/schema.ts b/apps/dokploy/utils/schema.ts
index addbbc344..3d2c75188 100644
--- a/apps/dokploy/utils/schema.ts
+++ b/apps/dokploy/utils/schema.ts
@@ -28,7 +28,13 @@ export const uploadFileToContainerSchema = zfd.formData({
 		.min(1)
 		.regex(/^[a-zA-Z0-9.\-_]+$/, "Invalid container ID"),
 	file: zfd.file(),
-	destinationPath: z.string().min(1),
+	destinationPath: z
+		.string()
+		.min(1)
+		.regex(
+			/^[a-zA-Z0-9.\-_/]+$/,
+			"Invalid destination path: only alphanumeric characters, dots, dashes, underscores, and forward slashes are allowed",
+		),
 	serverId: z.string().optional(),
 });
 
diff --git a/packages/server/src/services/docker.ts b/packages/server/src/services/docker.ts
index e49adbb94..902041c53 100644
--- a/packages/server/src/services/docker.ts
+++ b/packages/server/src/services/docker.ts
@@ -655,6 +655,8 @@ export const getAllContainerStats = async (serverId?: string) => {
 	}
 };
 
+const destinationPathRegex = /^[a-zA-Z0-9.\-_/]+$/;
+
 export const uploadFileToContainer = async (
 	containerId: string,
 	fileBuffer: Buffer,
@@ -667,7 +669,10 @@ export const uploadFileToContainer = async (
 		throw new Error("Invalid container ID");
 	}
 
-	// Ensure destination path starts with /
+	if (!destinationPathRegex.test(destinationPath)) {
+		throw new Error("Invalid destination path: shell metacharacters are not allowed");
+	}
+
 	const normalizedPath = destinationPath.startsWith("/")
 		? destinationPath
 		: `/${destinationPath}`;