diff --git a/backend/database.js b/backend/database.js
index e5f2424..578dcd6 100644
--- a/backend/database.js
+++ b/backend/database.js
@@ -1,6 +1,7 @@
 const Database = require('better-sqlite3');
 const bcrypt = require('bcryptjs');
 const path = require('path');
+const crypto = require('crypto');
 
 // 创建或连接数据库
 const db = new Database(path.join(__dirname, 'ftp-manager.db'));
@@ -297,9 +298,10 @@ const ShareDB = {
   // 生成随机分享码
   generateShareCode(length = 8) {
     const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
+    const bytes = crypto.randomBytes(length);
     let code = '';
     for (let i = 0; i < length; i++) {
-      code += chars.charAt(Math.floor(Math.random() * chars.length));
+      code += chars[bytes[i] % chars.length];
     }
     return code;
   },
diff --git a/backend/server.js b/backend/server.js
index 098ce8d..bc75f91 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -197,6 +197,17 @@ function buildHttpDownloadUrl(rawBaseUrl, filePath) {
   }
 }
 
+// 校验文件名/路径片段安全（禁止分隔符、控制字符、..）
+function isSafePathSegment(name) {
+  return (
+    typeof name === 'string' &&
+    name.length > 0 &&
+    !name.includes('..') &&
+    !/[/\\]/.test(name) &&
+    !/[\x00-\x1F]/.test(name)
+  );
+}
+
 // 应用XSS过滤到所有POST/PUT请求的body
 app.use((req, res, next) => {
   if ((req.method === 'POST' || req.method === 'PUT') && req.body) {
@@ -1986,9 +1997,27 @@ app.post('/api/upload', authMiddleware, upload.single('file'), async (req, res)
   const remotePath = req.body.path || '/';
   // 修复中文文件名：multer将UTF-8转为了Latin1，需要转回来
   const originalFilename = Buffer.from(req.file.originalname, 'latin1').toString('utf8');
-  const remoteFilePath = remotePath === '/'
+  // 文件名安全校验
+  if (!isSafePathSegment(originalFilename)) {
+    return res.status(400).json({
+      success: false,
+      message: '文件名包含非法字符'
+    });
+  }
+
+  // 路径安全校验
+  const normalizedPath = path.posix.normalize(remotePath || '/');
+  if (normalizedPath.includes('..')) {
+    return res.status(400).json({
+      success: false,
+      message: '上传路径非法'
+    });
+  }
+  const safePath = normalizedPath === '.' ? '/' : normalizedPath;
+
+  const remoteFilePath = safePath === '/'
     ? `/${originalFilename}`
-    : `${remotePath}/${originalFilename}`;
+    : `${safePath}/${originalFilename}`;
 
   let storage;
 
@@ -3123,6 +3152,7 @@ app.get('/api/admin/users', authMiddleware, adminMiddleware, (req, res) => {
         email: u.email,
         is_admin: u.is_admin,
         is_active: u.is_active,
+        is_verified: u.is_verified,
         is_banned: u.is_banned,
         has_ftp_config: u.has_ftp_config,
         created_at: u.created_at,
diff --git a/frontend/app.html b/frontend/app.html
index 6d8c473..c071780 100644
--- a/frontend/app.html
+++ b/frontend/app.html
@@ -1733,6 +1733,7 @@
                 </td>
                 <td style="padding: 10px; text-align: center;">
                   <span v-if="u.is_banned" style="color: #dc3545; font-weight: 600;">已封禁</span>
+                  <span v-else-if="!u.is_verified" style="color: #fd7e14; font-weight: 600;">未激活</span>
                   <span v-else style="color: #28a745;">正常</span>
                 </td>
                 <td style="padding: 10px; text-align: center;">