diff --git a/HISTORY.rst b/HISTORY.rst
index b963df38..cc5ee8f6 100644
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -14,6 +14,11 @@ PlatformIO Core 6
 
 **A professional collaborative platform for declarative, safety-critical, and test-driven embedded development.**
 
+6.1.7 (2023-??-??)
+~~~~~~~~~~~~~~~~~~
+
+* Prevented shell injection when converting INO file to CPP (`issue #4532 <https://github.com/platformio/platformio-core/issues/4532>`_)
+
 6.1.6 (2023-01-23)
 ~~~~~~~~~~~~~~~~~~
 
diff --git a/platformio/builder/tools/pioino.py b/platformio/builder/tools/pioino.py
index de1f8cf8..939cf9a0 100644
--- a/platformio/builder/tools/pioino.py
+++ b/platformio/builder/tools/pioino.py
@@ -103,7 +103,7 @@ class InoToCPPConverter:
         return "\n".join(["#include <Arduino.h>"] + lines) if lines else None
 
     def process(self, contents):
-        out_file = self._main_ino + ".cpp"
+        out_file = re.sub(r"[\"\'\;]+", "", self._main_ino, flags=re.I) + ".cpp"
         assert self._gcc_preprocess(contents, out_file)
         contents = self.read_safe_contents(out_file)
         contents = self._join_multiline_strings(contents)