diff --git a/src/main/java/org/cellocad/api/FileController.java b/src/main/java/org/cellocad/api/FileController.java
index 66674347..df6a63d4 100644
--- a/src/main/java/org/cellocad/api/FileController.java
+++ b/src/main/java/org/cellocad/api/FileController.java
@@ -137,7 +137,10 @@ String getResultFile(
         }
         String username = auth.getUsername(basic);
 
-
+        // Prevent path traversal: reject filenames with directory separators or parent references
+        if (filename.contains("..") || filename.contains("/") || filename.contains("\\")) {
+            throw new CelloNotFoundException("invalid filename");
+        }
 
         if(filename.endsWith(".png") || filename.endsWith(".pdf")) {
             String filePath = _resultPath + "/" + username + "/" + jobid + "/" + filename;