diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index d93840c5..85c34ea2 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -96,10 +96,12 @@ fn get_language(headers: &http::HeaderMap) -> String {
 
 fn get_theme(headers: &http::HeaderMap) -> String {
     let exists = |t: &str| {
-        Path::new(&format!(
-            "/usr/share/javascript/proxmox-widget-toolkit/themes/theme-{t}.css"
-        ))
-        .exists()
+        t.len() < 32
+            && !t.contains('/')
+            && Path::new(&format!(
+                "/usr/share/javascript/proxmox-widget-toolkit/themes/theme-{t}.css"
+            ))
+            .exists()
     };
 
     match cookie_from_header(headers, "PBSThemeCookie") {