diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2018bdb5f0..74e7d2235a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,7 +22,7 @@ release channel, you can take advantage of these new features and fixes.
   identifier; if you're calling the API externally, you should _always_ use a generated API key and not count on the
   user's existing session.
 
--
+- A minor cross-site scripting (XSS) vulnerability on public pages has been resolved.
 
 ---
 
diff --git a/src/Customization.php b/src/Customization.php
index 057a65e9cd..d5ac8dded3 100644
--- a/src/Customization.php
+++ b/src/Customization.php
@@ -17,6 +17,7 @@ class Customization
     public const THEME_BROWSER = 'browser';
     public const THEME_LIGHT = 'light';
     public const THEME_DARK = 'dark';
+    public const THEMES = [self::THEME_BROWSER, self::THEME_LIGHT, self::THEME_DARK];
 
     protected ?Entity\User $user = null;
 
@@ -45,7 +46,7 @@ public function __construct(
         // Register current theme
         $queryParams = $request->getQueryParams();
 
-        if (!empty($queryParams['theme'])) {
+        if (!empty($queryParams['theme']) && in_array($queryParams['theme'], self::THEMES, true)) {
             $this->publicTheme = $this->theme = $queryParams['theme'];
         } else {
             $this->publicTheme = $this->settings->getPublicTheme() ?? $this->publicTheme;