diff --git a/spsvalidator/src/spsvalidator/services/validation_service.py b/spsvalidator/src/spsvalidator/services/validation_service.py
index 7cf4379..3dd5bbe 100644
--- a/spsvalidator/src/spsvalidator/services/validation_service.py
+++ b/spsvalidator/src/spsvalidator/services/validation_service.py
@@ -32,7 +32,7 @@ def run_validation(
     if not filename.lower().endswith(".zip"):
         raise ValueError(zip_only_message or "Only SPS .zip files are supported.")
     with tempfile.TemporaryDirectory(prefix="spsvalidator-") as temp_dir:
-        zip_path = os.path.join(temp_dir, Path(filename).name)
+        zip_path = os.path.join(temp_dir, "package.zip")
         uploaded_file.save(zip_path)
         result = validate_sps_zip(zip_path)
         rows = result["rows"]
diff --git a/spsvalidator/src/spsvalidator/web/routes.py b/spsvalidator/src/spsvalidator/web/routes.py
index c3294a5..ff595cc 100644
--- a/spsvalidator/src/spsvalidator/web/routes.py
+++ b/spsvalidator/src/spsvalidator/web/routes.py
@@ -41,6 +41,12 @@ def _render_index(**context):
     )
 
 
+def _safe_redirect_target(next_url: str | None) -> str:
+    if next_url and next_url.startswith("/") and not next_url.startswith("//"):
+        return next_url
+    return url_for("web.index")
+
+
 def _redirect_with_lang(endpoint: str, **values):
     response = make_response(redirect(url_for(endpoint, **values)))
     language = normalize_language(request.cookies.get("lang"))
@@ -98,7 +104,7 @@ def download_csv(history_id: str):
 @web_blueprint.get("/language/<language_code>")
 def set_language(language_code: str):
     language = normalize_language(language_code)
-    redirect_target = request.args.get("next") or url_for("web.index")
+    redirect_target = _safe_redirect_target(request.args.get("next"))
     response = make_response(redirect(redirect_target))
     response.set_cookie("lang", language, max_age=60 * 60 * 24 * 365)
     return response