diff --git a/app/classes/web/routes/api/servers/server/backups/backup/index.py b/app/classes/web/routes/api/servers/server/backups/backup/index.py
index 055b4214..5d8fd2b5 100644
--- a/app/classes/web/routes/api/servers/server/backups/backup/index.py
+++ b/app/classes/web/routes/api/servers/server/backups/backup/index.py
@@ -414,6 +414,14 @@ class ApiServersServerBackupsBackupFilesIndexHandler(BaseApiHandler):
                     "error_data": str(e),
                 },
             )
+        self.helper.validate_traversal(
+            os.path.join(backup_conf["backup_location"], backup_conf["backup_id"]),
+            os.path.join(
+                backup_conf["backup_location"],
+                backup_conf["backup_id"],
+                data["filename"],
+            ),
+        )
         try:
             FileHelpers.del_file(
                 os.path.join(