diff --git a/man/man7/telodendria-changelog.7 b/man/man7/telodendria-changelog.7
index e33cb8c..62505e9 100644
--- a/man/man7/telodendria-changelog.7
+++ b/man/man7/telodendria-changelog.7
@@ -68,6 +68,10 @@ would occur in some edge cases.
 .It
 Fixed an "off-by-one" error in the HTTP server request
 parser that prevented GET parameters from being parsed.
+.It
+Fixed the database file name generator to prevent directory
+traversal attacks by replacing characters with special meaning
+with safer characters.
 .El
 .Pp
 Misc.:
diff --git a/src/Db.c b/src/Db.c
index 88c9a83..054ad97 100644
--- a/src/Db.c
+++ b/src/Db.c
@@ -208,10 +208,30 @@ DbFileName(Db * db, Array * args)
     for (i = 0; i < ArraySize(args); i++)
     {
         char *tmp, *tmp2;
+        char *arg = UtilStringDuplicate(ArrayGet(args, i));
 
-        tmp = UtilStringConcat(str, ArrayGet(args, i));
-        tmp2 = UtilStringConcat(tmp, (i < ArraySize(args) - 1) ? "/" : ".json");
+        /* Sanitize name to prevent directory traversal attacks */
+        while (*arg)
+        {
+            switch (*arg)
+            {
+                case '/':
+                    *arg = '_';
+                    break;
+                case '.':
+                    *arg = '-';
+                    break;
+                default:
+                    break;
+            }
+            arg++;
+        }
 
+        tmp = UtilStringConcat(str, arg);
+        tmp2 = UtilStringConcat(tmp,
+            (i < ArraySize(args) - 1) ? "/" : ".json");
+
+        Free(arg);
         Free(str);
         Free(tmp);