diff --git a/frappe/core/doctype/package/package.py b/frappe/core/doctype/package/package.py
index 9f0e959092..72d59ccc24 100644
--- a/frappe/core/doctype/package/package.py
+++ b/frappe/core/doctype/package/package.py
@@ -2,6 +2,7 @@
 # For license information, please see license.txt
 
 import os
+from string import ascii_letters, digits
 
 import frappe
 from frappe.model.document import Document
@@ -34,6 +35,10 @@ class Package(Document):
 		if not self.package_name:
 			self.package_name = self.name.lower().replace(" ", "-")
 
+		allowed_characters = ascii_letters + digits + "-"
+		if not all(c in allowed_characters for c in self.package_name):
+			frappe.throw("Package name can only contain letters, digits and hyphens")
+
 
 @frappe.whitelist()
 def get_license_text(license_type: str) -> str | None:
diff --git a/frappe/core/doctype/package_release/package_release.py b/frappe/core/doctype/package_release/package_release.py
index 43316c9761..b298a10d37 100644
--- a/frappe/core/doctype/package_release/package_release.py
+++ b/frappe/core/doctype/package_release/package_release.py
@@ -3,6 +3,7 @@
 
 import os
 import subprocess
+from pathlib import Path
 
 import frappe
 from frappe.model.document import Document
@@ -65,12 +66,16 @@ class PackageRelease(Document):
 		)
 
 	def validate(self):
-		if self.publish:
-			self.export_files()
-
-	def export_files(self):
-		"""Export all the documents in this package to site/packages folder"""
 		package = frappe.get_doc("Package", self.package)
+		package_path = Path(frappe.get_site_path("packages", package.package_name))
+		if not package_path.resolve().is_relative_to(Path(frappe.get_site_path()).resolve()):
+			frappe.throw("Invalid package path: " + package_path.as_posix())
+
+		if self.publish:
+			self.export_files(package)
+
+	def export_files(self, package):
+		"""Export all the documents in this package to site/packages folder"""
 
 		self.export_modules()
 		self.export_package_files(package)