diff --git a/fp-plugins/mediamanager/panels/panel.mediamanager.file.php b/fp-plugins/mediamanager/panels/panel.mediamanager.file.php
index 331a32ba..cb33c48b 100644
--- a/fp-plugins/mediamanager/panels/panel.mediamanager.file.php
+++ b/fp-plugins/mediamanager/panels/panel.mediamanager.file.php
@@ -77,6 +77,8 @@ function doItemActions($folder, $mmbaseurl) {
 		/* delete file */
 		if (isset($_GET ['deletefile'])) {
 			list ($type, $name) = explode("-", $_GET ['deletefile'], 2);
+			// prevent path traversal: remove ".." and "/" resp. "\"
+			$name = preg_replace('(\.\.|\/|\\\\)', '', $name);
 			switch ($type) {
 				case 'attachs':
 					$type = ABS_PATH . ATTACHS_DIR;