diff --git a/src/backend/app/api/monitoring.py b/src/backend/app/api/monitoring.py
index 3cf48a7..2f51a26 100644
--- a/src/backend/app/api/monitoring.py
+++ b/src/backend/app/api/monitoring.py
@@ -841,12 +841,17 @@ async def get_trends(
     from datetime import date, timedelta
     from app.services.monitoring.data_processing import ModelName
 
-    # Parse range
+    # Parse range with safe upper limit
     range_days = 7
     if range_param == "30d":
         range_days = 30
     elif re.match(r"^(\d+)d$", range_param):
-        range_days = int(range_param[:-1])
+        days = int(range_param[:-1])
+        if days < 1 or days > 365:  # Safe limit: 1-365 days
+            raise HTTPException(status_code=400, detail="Invalid range. Must be between 1d and 365d")
+        range_days = days
+    else:
+        raise HTTPException(status_code=400, detail="Invalid range. Must be '7d', '30d', or 'Nd' where N is 1-365")
 
     # Get all cost snapshots
     statement = select(CostSnapshot).where(