diff --git a/controllers/admin/emoji.go b/controllers/admin/emoji.go
index 43028e6b7..810b629d1 100644
--- a/controllers/admin/emoji.go
+++ b/controllers/admin/emoji.go
@@ -76,9 +76,13 @@ func DeleteCustomEmoji(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// var emojiFileName = filepath.Base(emoji.Name)
 	targetPath := filepath.Join(config.CustomEmojiPath, emoji.Name)
 
+	if !filepath.IsLocal(targetPath) {
+		controllers.WriteSimpleResponse(w, false, "Emoji path is not valid")
+		return
+	}
+
 	if err := os.Remove(targetPath); err != nil {
 		if os.IsNotExist(err) {
 			controllers.WriteSimpleResponse(w, false, fmt.Sprintf("Emoji %q doesn't exist", emoji.Name))