diff --git a/src/Http/Controllers/HandleActionController.php b/src/Http/Controllers/HandleActionController.php
index 9adab31ad..fa05a3227 100644
--- a/src/Http/Controllers/HandleActionController.php
+++ b/src/Http/Controllers/HandleActionController.php
@@ -42,7 +42,7 @@ protected function resolveActionInstance(Request $request): Action
 
         $actionClass = str_replace('_', '\\', $request->get('_action'));
 
-        if (! class_exists($actionClass)) {
+        if (! class_exists($actionClass) || ! is_subclass_of($actionClass, Action::class)) {
             throw new AdminException("Action [{$actionClass}] does not exist.");
         }
 
diff --git a/src/Http/Controllers/RenderableController.php b/src/Http/Controllers/RenderableController.php
index faadf9c9f..42067ff77 100644
--- a/src/Http/Controllers/RenderableController.php
+++ b/src/Http/Controllers/RenderableController.php
@@ -51,6 +51,10 @@ protected function newRenderable(Request $request): LazyRenderable
 
         $class = str_replace('_', '\\', $class);
 
+        if (! class_exists($class) || ! is_subclass_of($class, LazyRenderable::class)) {
+            throw new \InvalidArgumentException("Renderable [{$class}] does not exist or does not implement LazyRenderable.");
+        }
+
         $renderable = new $class();
 
         $renderable->payload($request->all());
diff --git a/src/Http/Controllers/TinymceController.php b/src/Http/Controllers/TinymceController.php
index b4018efe7..1ea6fd0f0 100644
--- a/src/Http/Controllers/TinymceController.php
+++ b/src/Http/Controllers/TinymceController.php
@@ -12,7 +12,7 @@ class TinymceController
     public function upload(Request $request)
     {
         $file = $request->file('file');
-        $dir = trim($request->get('dir'), '/');
+        $dir = $this->sanitizeDir($request->get('dir'));
         $disk = $this->disk();
 
         $newName = $this->generateNewName($file);
@@ -27,6 +27,22 @@ protected function generateNewName(UploadedFile $file)
         return uniqid(md5($file->getClientOriginalName()), true).'.'.$file->getClientOriginalExtension();
     }
 
+    /**
+     * Sanitize directory path to prevent path traversal.
+     */
+    protected function sanitizeDir(?string $dir): string
+    {
+        $dir = trim($dir ?? '', '/');
+
+        // 移除路径遍历字符
+        $dir = str_replace(['../', '..\\', '..'], '', $dir);
+
+        // 确保路径不以点开头（隐藏文件）
+        $dir = ltrim($dir, '.');
+
+        return $dir ?: 'uploads';
+    }
+
     /**
      * @return \Illuminate\Contracts\Filesystem\Filesystem|FilesystemAdapter
      */
@@ -34,6 +50,11 @@ protected function disk()
     {
         $disk = request()->get('disk') ?: config('admin.upload.disk');
 
+        // 验证磁盘配置存在
+        if (! config("filesystems.disks.{$disk}")) {
+            $disk = config('admin.upload.disk', 'local');
+        }
+
         return Storage::disk($disk);
     }
 }
diff --git a/src/Repositories/EloquentRepository.php b/src/Repositories/EloquentRepository.php
index cea721ced..142b26a63 100755
--- a/src/Repositories/EloquentRepository.php
+++ b/src/Repositories/EloquentRepository.php
@@ -872,9 +872,8 @@ protected function updateRelation(Form $form, EloquentModel $model, array $relat
                     $parent->save();
 
                     // When in creating, associate two models
-                    $foreignKeyMethod = version_compare(app()->version(), '5.8.0', '<') ? 'getForeignKey' : 'getForeignKeyName';
-                    if (! $model->{$relation->{$foreignKeyMethod}()}) {
-                        $model->{$relation->{$foreignKeyMethod}()} = $parent->getKey();
+                    if (! $model->{$relation->getForeignKeyName()}) {
+                        $model->{$relation->getForeignKeyName()} = $parent->getKey();
 
                         $model->save();
                     }