diff --git a/inc/integrations/providers/laravel-forge/class-laravel-forge-integration.php b/inc/integrations/providers/laravel-forge/class-laravel-forge-integration.php
index f7d2021f3..877db524a 100644
--- a/inc/integrations/providers/laravel-forge/class-laravel-forge-integration.php
+++ b/inc/integrations/providers/laravel-forge/class-laravel-forge-integration.php
@@ -265,6 +265,18 @@ public function get_deploy_command(string $domain): string {
 		$symlink_target = $this->get_credential('WU_FORGE_SYMLINK_TARGET');
 
 		if ($deploy_command) {
+			// Validate domain to prevent shell command injection via metacharacters,
+			// mirroring the symlink branch below.
+			if (! preg_match('/^[a-z0-9][a-z0-9\-\.]*[a-z0-9]$/i', $domain)) {
+				wu_log_add(
+					'integration-forge',
+					sprintf('Invalid domain format rejected for shell command: %s', $domain),
+					\Psr\Log\LogLevel::ERROR
+				);
+
+				return '';
+			}
+
 			return str_replace('{domain}', $domain, $deploy_command);
 		}
 
diff --git a/inc/ui/class-domain-mapping-element.php b/inc/ui/class-domain-mapping-element.php
index d4e3dfb99..84ba65e38 100644
--- a/inc/ui/class-domain-mapping-element.php
+++ b/inc/ui/class-domain-mapping-element.php
@@ -781,7 +781,14 @@ public function render_add_dns_record_modal(): void {
 		}
 
 		$dns_manager = \WP_Ultimo\Managers\DNS_Record_Manager::get_instance();
-		$provider    = $dns_manager->get_dns_provider();
+
+		// Same ownership gate the edit/add/delete DNS handlers enforce.
+		if (! $dns_manager->customer_can_manage_dns(get_current_user_id(), $domain->get_domain())) {
+			wp_send_json_error(new \WP_Error('permission-denied', __('You do not have permission to manage DNS for this domain.', 'ultimate-multisite')));
+			return;
+		}
+
+		$provider = $dns_manager->get_dns_provider();
 
 		wu_get_template(
 			'domain/dns-record-form',