diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
index f8b72be..640897e 100644
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@@ -22,6 +22,7 @@ Yii Framework 2 Change Log
 - Enh #18899: Replace usages of `strpos` with `strncmp` and remove redundant usage of `array_merge` and `array_values` (AlexGx)
 - Bug #18898: Fix `yii\helpers\Inflector::camel2words()` to work with words ending with 0 (michaelarnauts)
 - Enh #18904: Improve Captcha client-side validation (hexkir)
+- Bug #18913: Add filename validation for `MessageSource::getMessageFilePath()` (uaoleg)
 
 
 2.0.43 August 09, 2021
diff --git a/framework/i18n/GettextMessageSource.php b/framework/i18n/GettextMessageSource.php
index d96fb52..7e6ddbb 100644
--- a/framework/i18n/GettextMessageSource.php
+++ b/framework/i18n/GettextMessageSource.php
@@ -8,6 +8,7 @@
 namespace yii\i18n;
 
 use Yii;
+use yii\base\InvalidArgumentException;
 
 /**
  * GettextMessageSource represents a message source that is based on GNU Gettext.
@@ -129,6 +130,10 @@ class GettextMessageSource extends MessageSource
      */
     protected function getMessageFilePath($language)
     {
+        $language = (string) $language;
+        if ($language !== '' && !preg_match('/^[a-z_-]+$/i', $language)) {
+            throw new InvalidArgumentException(sprintf('Invalid language code: "%s".', $language));
+        }
         $messageFile = Yii::getAlias($this->basePath) . '/' . $language . '/' . $this->catalog;
         if ($this->useMoFile) {
             $messageFile .= self::MO_FILE_EXT;
diff --git a/framework/i18n/PhpMessageSource.php b/framework/i18n/PhpMessageSource.php
index 4bcfcd9..4dd860a 100644
--- a/framework/i18n/PhpMessageSource.php
+++ b/framework/i18n/PhpMessageSource.php
@@ -8,6 +8,7 @@
 namespace yii\i18n;
 
 use Yii;
+use yii\base\InvalidArgumentException;
 
 /**
  * PhpMessageSource represents a message source that stores translated messages in PHP scripts.
@@ -132,6 +133,10 @@ class PhpMessageSource extends MessageSource
      */
     protected function getMessageFilePath($category, $language)
     {
+        $language = (string) $language;
+        if ($language !== '' && !preg_match('/^[a-z_-]+$/i', $language)) {
+            throw new InvalidArgumentException(sprintf('Invalid language code: "%s".', $language));
+        }
         $messageFile = Yii::getAlias($this->basePath) . "/$language/";
         if (isset($this->fileMap[$category])) {
             $messageFile .= $this->fileMap[$category];