Light or Dark — Path Traversal with Dot Obfuscation + Null Byte
The theme parameter appends .css to the user-supplied path before serving it. Use …/ triples (which reduce to ../) and a URL-encoded null byte to escape the CSS directory and read /flag.txt.