diff --git a/bundles/AdminBundle/Controller/Admin/LoginController.php b/bundles/AdminBundle/Controller/Admin/LoginController.php
index a047245eb7c..0798b044b18 100644
--- a/bundles/AdminBundle/Controller/Admin/LoginController.php
+++ b/bundles/AdminBundle/Controller/Admin/LoginController.php
@@ -29,6 +29,7 @@
 use Pimcore\Http\ResponseHelper;
 use Pimcore\Logger;
 use Pimcore\Model\User;
+use Pimcore\Security\SecurityHelper;
 use Pimcore\Tool;
 use Pimcore\Tool\Authentication;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -114,7 +115,7 @@ public function loginAction(Request $request, CsrfProtectionHandler $csrfProtect
         $params['csrfTokenRefreshInterval'] = ((int)$session_gc_maxlifetime - 60) * 1000;
 
         if ($request->get('too_many_attempts')) {
-            $params['error'] = $request->get('too_many_attempts');
+            $params['error'] = SecurityHelper::convertHtmlSpecialChars($request->get('too_many_attempts'));
         }
         if ($request->get('auth_failed')) {
             $params['error'] = 'error_auth_failed';