diff --git a/routers/web/repo/issue_content_history.go b/routers/web/repo/issue_content_history.go
index b6345e434c..69fcb583ac 100644
--- a/routers/web/repo/issue_content_history.go
+++ b/routers/web/repo/issue_content_history.go
@@ -189,15 +189,29 @@ func SoftDeleteContentHistory(ctx *context.Context) {
 	var comment *issues_model.Comment
 	var history *issues_model.ContentHistory
 	var err error
+
+	if history, err = issues_model.GetIssueContentHistoryByID(ctx, historyID); err != nil {
+		log.Error("can not get issue content history %v. err=%v", historyID, err)
+		return
+	}
+	if history.IssueID != issue.ID {
+		ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
+		return
+	}
 	if commentID != 0 {
+		if history.CommentID != commentID {
+			ctx.NotFound("CompareCommentID", issues_model.ErrCommentNotExist{})
+			return
+		}
+
 		if comment, err = issues_model.GetCommentByID(ctx, commentID); err != nil {
 			log.Error("can not get comment for issue content history %v. err=%v", historyID, err)
 			return
 		}
-	}
-	if history, err = issues_model.GetIssueContentHistoryByID(ctx, historyID); err != nil {
-		log.Error("can not get issue content history %v. err=%v", historyID, err)
-		return
+		if comment.IssueID != issue.ID {
+			ctx.NotFound("CompareIssueID", issues_model.ErrCommentNotExist{})
+			return
+		}
 	}
 
 	canSoftDelete := canSoftDeleteContentHistory(ctx, issue, comment, history)
diff --git a/routers/web/repo/issue_pin.go b/routers/web/repo/issue_pin.go
index bbfeaee6e8..6680de32a9 100644
--- a/routers/web/repo/issue_pin.go
+++ b/routers/web/repo/issue_pin.go
@@ -90,6 +90,12 @@ func IssuePinMove(ctx *context.Context) {
 		return
 	}
 
+	if issue.RepoID != ctx.Repo.Repository.ID {
+		ctx.Status(http.StatusNotFound)
+		log.Error("Issue does not belong to this repository")
+		return
+	}
+
 	err = issue.MovePin(ctx, form.Position)
 	if err != nil {
 		ctx.Status(http.StatusInternalServerError)