Check the tmpimg path is in the expected folder

src/Umbraco.Infrastructure/PropertyEditors/RichTextEditorPastedImages.cs

@@ -74,6 +74,7 @@ public sealed class RichTextEditorPastedImages
         // we have already processed to avoid dupes
         var uploadedImages = new Dictionary<string, GuidUdi>();
 
+
         foreach (HtmlNode? img in tmpImages)
         {
             // The data attribute contains the path to the tmp img to persist as a media item
@@ -84,6 +85,11 @@ public sealed class RichTextEditorPastedImages
                 continue;
             }
 
+            if (IsValidPath(tmpImgPath) == false)
+            {
+                continue;
+            }
+
             var absoluteTempImagePath = _hostingEnvironment.MapPathContentRoot(tmpImgPath);
             var fileName = Path.GetFileName(absoluteTempImagePath);
             var safeFileName = fileName.ToSafeFileName(_shortStringHelper);
@@ -184,4 +190,6 @@ public sealed class RichTextEditorPastedImages
 
         return htmlDoc.DocumentNode.OuterHtml;
     }
+
+    private bool IsValidPath(string imagePath) => imagePath.StartsWith(Constants.SystemDirectories.TempImageUploads);
 }