diff --git a/src/telegram/format.ts b/src/telegram/format.ts
index 6282e0d2828..1a0b9c0a583 100644
--- a/src/telegram/format.ts
+++ b/src/telegram/format.ts
@@ -132,9 +132,14 @@ export function markdownToTelegramHtml(
  * Runs AFTER markdown→HTML conversion to avoid modifying HTML attributes.
  * Skips content inside <code>, <pre>, and <a> tags to avoid nesting issues.
  */
+/** Escape regex metacharacters in a string */
+function escapeRegex(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
 export function wrapFileReferencesInHtml(html: string): string {
-  // Build regex pattern for all tracked extensions
-  const extensionsPattern = Array.from(FILE_EXTENSIONS_WITH_TLD).join("|");
+  // Build regex pattern for all tracked extensions (escape metacharacters for safety)
+  const extensionsPattern = Array.from(FILE_EXTENSIONS_WITH_TLD).map(escapeRegex).join("|");
 
   // Safety-net: de-linkify auto-generated anchors where href="http://<label>" (defense in depth for textMode: "html")
   const autoLinkedAnchor = /<a\s+href="https?:\/\/([^"]+)"[^>]*>\1<\/a>/gi;
@@ -142,7 +147,7 @@ export function wrapFileReferencesInHtml(html: string): string {
     if (!isAutoLinkedFileRef(`http://${label}`, label)) {
       return _match;
     }
-    return `<code>${label}</code>`;
+    return `<code>${escapeHtml(label)}</code>`;
   });
   const filePattern = new RegExp(
     `(^|>|[\\s])([a-zA-Z0-9_.\\-./]+\\.(?:${extensionsPattern}))(?=$|[\\s<])`,
@@ -179,7 +184,7 @@ export function wrapFileReferencesInHtml(html: string): string {
       if (/https?:\/\/$/i.test(prefix)) {
         return m;
       }
-      return `${prefix}<code>${filename}</code>`;
+      return `${prefix}<code>${escapeHtml(filename)}</code>`;
     });
 
     // Update tag depth
@@ -208,7 +213,7 @@ export function wrapFileReferencesInHtml(html: string): string {
     if (/https?:\/\/$/i.test(prefix)) {
       return m;
     }
-    return `${prefix}<code>${filename}</code>`;
+    return `${prefix}<code>${escapeHtml(filename)}</code>`;
   });
 
   return result;
diff --git a/src/telegram/format.wrap-md.test.ts b/src/telegram/format.wrap-md.test.ts
index 4c11b6f7a65..0b2b61ac9fd 100644
--- a/src/telegram/format.wrap-md.test.ts
+++ b/src/telegram/format.wrap-md.test.ts
@@ -277,4 +277,29 @@ describe("edge cases", () => {
     const input = '<a href="http://other.md">README.md</a>';
     expect(wrapFileReferencesInHtml(input)).toBe(input);
   });
+
+  it("does not match filenames with special characters", () => {
+    // The regex only matches [a-zA-Z0-9_.\\-./] so & breaks the pattern
+    const input = "R&D.md";
+    const result = wrapFileReferencesInHtml(input);
+    // Not wrapped because & is not in the allowed character class
+    expect(result).toBe(input);
+  });
+
+  it("does not match filenames containing angle brackets", () => {
+    // The regex character class [a-zA-Z0-9_.\\-./] doesn't include < >
+    // so these won't be matched and wrapped (which is correct/safe)
+    const input = "file<script>.md";
+    const result = wrapFileReferencesInHtml(input);
+    // Not wrapped because < breaks the filename pattern
+    expect(result).toBe(input);
+  });
+
+  it("wraps only the valid filename portion before HTML tags", () => {
+    // x.md is a valid filename, </code><b>bold</b> is not part of it
+    const input = "x.md</code><b>bold</b>";
+    const result = wrapFileReferencesInHtml(input);
+    // Only x.md gets wrapped, the rest passes through
+    expect(result).toBe("<code>x.md</code></code><b>bold</b>");
+  });
 });