diff --git a/web/list/backup/index.php b/web/list/backup/index.php
index 4c13cb7e..59723c22 100644
--- a/web/list/backup/index.php
+++ b/web/list/backup/index.php
@@ -19,7 +19,7 @@ if (empty($_GET['backup'])){
     unset($output);
     include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_backup.html');
 } else {
-    exec (VESTA_CMD."v-list-user-backup $user '".$_GET['backup']."' json", $output, $return_var);
+    exec (VESTA_CMD."v-list-user-backup $user '".escapeshellarg($_GET['backup'])."' json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     $data = array_reverse($data,true);
     unset($output);