diff --git a/server/utils/password-reset-log.js b/server/utils/password-reset-log.js
index 0c00a49..c5bb0b6 100644
--- a/server/utils/password-reset-log.js
+++ b/server/utils/password-reset-log.js
@@ -5,11 +5,16 @@ import path from 'path'
 const RETENTION_MS = 72 * 60 * 60 * 1000
 
 function getDataPath(filename) {
-  const cwd = process.cwd()
-  if (cwd.endsWith('.output')) {
-    return path.join(cwd, '../server/data', filename)
+  // sanitize filename: only allow a simple basename (no path separators)
+  const safeName = path.basename(String(filename || ''))
+  // whitelist valid characters to avoid any traversal or weird names
+  if (!/^[a-zA-Z0-9._-]+$/.test(safeName)) {
+    throw new Error('Invalid data filename')
   }
-  return path.join(cwd, 'server/data', filename)
+
+  const cwd = process.cwd()
+  const dataDir = cwd.endsWith('.output') ? path.join(cwd, '../server/data') : path.join(cwd, 'server/data')
+  return path.join(dataDir, safeName)
 }
 
 const LOG_FILE = getDataPath('password-reset.log.jsonl')