diff --git a/dojo_plugin/pages/workspace.py b/dojo_plugin/pages/workspace.py
index e07a9ccc0..f265bd950 100644
--- a/dojo_plugin/pages/workspace.py
+++ b/dojo_plugin/pages/workspace.py
@@ -1,5 +1,6 @@
 import hmac
 
+import docker
 from flask import request, Blueprint, render_template, redirect, url_for, abort
 from CTFd.models import Users
 from CTFd.utils.user import get_current_user, is_admin
@@ -110,11 +111,14 @@ def forward_workspace(service, service_path=""):
             abort(404)
 
         if service in ondemand_services:
-            exec_run(
-                f"/opt/pwn.college/services.d/{service}",
-                workspace_user="hacker", user_id=user.id, shell=True,
-                assert_success=True
-            )
+            try:
+                exec_run(
+                    f"/opt/pwn.college/services.d/{service}",
+                    workspace_user="hacker", user_id=user.id, shell=True,
+                    assert_success=True
+                )
+            except (docker.errors.NotFound, docker.errors.APIError):
+                abort(404)
 
     elif service.count("~") == 1:
         port, user_id = service.split("~", 1)
diff --git a/dojo_plugin/utils/workspace.py b/dojo_plugin/utils/workspace.py
index ab2feabd5..c74972726 100644
--- a/dojo_plugin/utils/workspace.py
+++ b/dojo_plugin/utils/workspace.py
@@ -1,13 +1,12 @@
+import shlex
+
 import docker
+
 docker_client = docker.from_env()
 
 def exec_run(cmd, *, shell=False, assert_success=True, workspace_user="root", user_id=None, container=None, **kwargs):
-
 	if shell:
-		cmd = f"""/bin/sh -c \"
-		{cmd}
-		\""""
-
+		cmd = f'/bin/sh -c {shlex.quote(cmd)}'
 	if not container:
 		container = docker_client.containers.get(f"user_{user_id}")
 	exit_code, output = container.exec_run(cmd, user=workspace_user, **kwargs)