diff --git a/v3/UNRELEASED_CHANGELOG.md b/v3/UNRELEASED_CHANGELOG.md
index c6b7006b3..b75d8fe4c 100644
--- a/v3/UNRELEASED_CHANGELOG.md
+++ b/v3/UNRELEASED_CHANGELOG.md
@@ -43,6 +43,7 @@ After processing, the content will be moved to the main changelog and this file
 <!-- Security-related changes -->
 - Restrict GITHUB_TOKEN permissions in workflow files to follow principle of least privilege
 - Fix path traversal vulnerability in screen example asset middleware
+- Fix command injection vulnerability in setup wizard dependency installation endpoint
 - Update rollup to 3.29.5 to fix XSS vulnerability (CVE-2024-47068)
 
 ---
diff --git a/v3/examples/screen/main.go b/v3/examples/screen/main.go
index 3f4981d5b..1a18785da 100644
--- a/v3/examples/screen/main.go
+++ b/v3/examples/screen/main.go
@@ -57,8 +57,8 @@ func main() {
 
 					// Clean the requested URL path and make it relative, to prevent directory traversal
 					cleanPath := filepath.Clean(r.URL.Path)
-					// Treat the request path as relative by stripping any leading slash.
-					relativePath := strings.TrimPrefix(cleanPath, string(filepath.Separator))
+					// Treat the request path as relative by stripping any leading forward slash (HTTP paths always use "/").
+					relativePath := strings.TrimPrefix(cleanPath, "/")
 
 					// Resolve the requested path against the absolute assets directory.
 					resolvedPath, err := filepath.Abs(filepath.Join(assetsDirAbs, relativePath))
@@ -76,7 +76,7 @@ func main() {
 						return
 					}
 
-					// Path is validated to be within assetsDirAbs above (lines 71-77).
+					// Path is validated to be within assetsDirAbs above.
 					if _, err := os.Stat(resolvedPath); err == nil { // #nosec G304 // lgtm[go/path-injection] -- path validated above
 						// Serve file from disk to make testing easy
 						http.ServeFile(w, r, resolvedPath) // #nosec G304 // lgtm[go/path-injection] -- path validated above