diff --git a/pkg/plugins/manager/installer/installer.go b/pkg/plugins/manager/installer/installer.go
index 540ea913943..0d3a4a4c94d 100644
--- a/pkg/plugins/manager/installer/installer.go
+++ b/pkg/plugins/manager/installer/installer.go
@@ -620,7 +620,7 @@ func isSymlinkRelativeTo(basePath string, symlinkDestPath string, symlinkOrigPat
 			return false
 		}
 
-		if strings.HasPrefix(p, ".."+string(filepath.Separator)) {
+		if p == ".." || strings.HasPrefix(p, ".."+string(filepath.Separator)) {
 			return false
 		}
 	}
diff --git a/pkg/plugins/manager/installer/installer_test.go b/pkg/plugins/manager/installer/installer_test.go
index 9454594b47c..20a25f8b759 100644
--- a/pkg/plugins/manager/installer/installer_test.go
+++ b/pkg/plugins/manager/installer/installer_test.go
@@ -280,6 +280,34 @@ func TestIsSymlinkRelativeTo(t *testing.T) {
 			symlinkOrigPath: "/dir/sub-dir/test1.txt",
 			expected:        false,
 		},
+		{
+			desc:            "Symbolic link pointing to relative file outside basePath should return false",
+			basePath:        "/dir",
+			symlinkDestPath: "../../",
+			symlinkOrigPath: "/dir/sub-sir/symlink.txt",
+			expected:        false,
+		},
+		{
+			desc:            "Symbolic link pointing to relative file outside basePath should return false",
+			basePath:        "/dir",
+			symlinkDestPath: "../..",
+			symlinkOrigPath: "/dir/sub-sir/symlink.txt",
+			expected:        false,
+		},
+		{
+			desc:            "Symbolic link pointing to relative file outside basePath should return false",
+			basePath:        "/dir",
+			symlinkDestPath: "../../",
+			symlinkOrigPath: "/dir/sub-sir/",
+			expected:        false,
+		},
+		{
+			desc:            "Symbolic link pointing to relative file outside basePath should return false",
+			basePath:        "/dir",
+			symlinkDestPath: "../..",
+			symlinkOrigPath: "/dir/sub-sir/",
+			expected:        false,
+		},
 	}
 
 	for _, tc := range tcs {
diff --git a/pkg/plugins/manager/signature/manifest.go b/pkg/plugins/manager/signature/manifest.go
index a7dcb19516d..cc86a8dc4ee 100644
--- a/pkg/plugins/manager/signature/manifest.go
+++ b/pkg/plugins/manager/signature/manifest.go
@@ -109,6 +109,14 @@ func Calculate(mlog log.Logger, plugin *plugins.Plugin) (plugins.Signature, erro
 		}, nil
 	}
 
+	pluginFiles, err := pluginFilesRequiringVerification(plugin)
+	if err != nil {
+		mlog.Warn("Could not collect plugin file information in directory", "pluginID", plugin.ID, "dir", plugin.PluginDir)
+		return plugins.Signature{
+			Status: plugins.SignatureInvalid,
+		}, err
+	}
+
 	manifestPath := filepath.Join(plugin.PluginDir, "MANIFEST.txt")
 
 	// nolint:gosec
@@ -184,14 +192,6 @@ func Calculate(mlog log.Logger, plugin *plugins.Plugin) (plugins.Signature, erro
 	}
 
 	if manifest.isV2() {
-		pluginFiles, err := pluginFilesRequiringVerification(plugin)
-		if err != nil {
-			mlog.Warn("Could not collect plugin file information in directory", "pluginID", plugin.ID, "dir", plugin.PluginDir)
-			return plugins.Signature{
-				Status: plugins.SignatureInvalid,
-			}, err
-		}
-
 		// Track files missing from the manifest
 		var unsignedFiles []string
 		for _, f := range pluginFiles {
@@ -264,19 +264,19 @@ func pluginFilesRequiringVerification(plugin *plugins.Plugin) ([]string, error)
 				return err
 			}
 
-			// skip symlink directories
-			if symlink.IsDir() {
-				return nil
-			}
-
 			// verify that symlinked file is within plugin directory
 			p, err := filepath.Rel(plugin.PluginDir, symlinkPath)
 			if err != nil {
 				return err
 			}
-			if strings.HasPrefix(p, ".."+string(filepath.Separator)) {
+			if p == ".." || strings.HasPrefix(p, ".."+string(filepath.Separator)) {
 				return fmt.Errorf("file '%s' not inside of plugin directory", p)
 			}
+
+			// skip adding symlinked directories
+			if symlink.IsDir() {
+				return nil
+			}
 		}
 
 		// skip directories and MANIFEST.txt