diff --git a/pkg/api/plugins.go b/pkg/api/plugins.go
index ca076671e36..7cf31dedd40 100644
--- a/pkg/api/plugins.go
+++ b/pkg/api/plugins.go
@@ -490,15 +490,15 @@ func (hs *HTTPServer) pluginMarkdown(ctx context.Context, pluginId string, name
 	}
 
 	// nolint:gosec
-	// We can ignore the gosec G304 warning on this one because `plugin.PluginDir` is based
-	// on plugin the folder structure on disk and not user input.
-	path := filepath.Join(plugin.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
+	path := filepath.Join(plugin.PluginDir, mdFilepath(strings.ToUpper(name)))
 	exists, err := fs.Exists(path)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
-		path = filepath.Join(plugin.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
+		path = filepath.Join(plugin.PluginDir, mdFilepath(strings.ToLower(name)))
 	}
 
 	exists, err = fs.Exists(path)
@@ -510,11 +510,15 @@ func (hs *HTTPServer) pluginMarkdown(ctx context.Context, pluginId string, name
 	}
 
 	// nolint:gosec
-	// We can ignore the gosec G304 warning on this one because `plugin.PluginDir` is based
-	// on plugin the folder structure on disk and not user input.
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
 	data, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}
 	return data, nil
 }
+
+func mdFilepath(mdFilename string) string {
+	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
+}
diff --git a/pkg/tsdb/testdatasource/csv_data.go b/pkg/tsdb/testdatasource/csv_data.go
index 2c1b56517ab..78641c0c310 100644
--- a/pkg/tsdb/testdatasource/csv_data.go
+++ b/pkg/tsdb/testdatasource/csv_data.go
@@ -77,13 +77,14 @@ func (s *Service) handleCsvFileScenario(ctx context.Context, req *backend.QueryD
 }
 
 func (s *Service) loadCsvFile(fileName string) (*data.Frame, error) {
-	validFileName := regexp.MustCompile(`([\w_]+)\.csv`)
+	validFileName := regexp.MustCompile(`^\w+\.csv$`)
 
 	if !validFileName.MatchString(fileName) {
 		return nil, fmt.Errorf("invalid csv file name: %q", fileName)
 	}
 
-	filePath := filepath.Join(s.cfg.StaticRootPath, "testdata", fileName)
+	csvFilepath := filepath.Clean(filepath.Join("/", fileName))
+	filePath := filepath.Join(s.cfg.StaticRootPath, "testdata", csvFilepath)
 
 	// Can ignore gosec G304 here, because we check the file pattern above
 	// nolint:gosec