diff --git a/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java b/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java
index 9cfc9b65..e8a5e8b3 100644
--- a/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java
+++ b/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java
@@ -1244,6 +1244,7 @@ public class SystemController extends BaseController {
 		try {
 			String localPath=ResourceUtil.getConfigByName("webUploadpath");
 			String imgurl = localPath+File.separator+dbpath;
+			imgurl = imgurl.replace("..", "").replace("../", "");
 			inputStream = new BufferedInputStream(new FileInputStream(imgurl));
 			outputStream = response.getOutputStream();
 			byte[] buf = new byte[1024];