diff --git a/lib/Controller/AttachmentController.php b/lib/Controller/AttachmentController.php
index 7b6f3337ca..998ff7a342 100644
--- a/lib/Controller/AttachmentController.php
+++ b/lib/Controller/AttachmentController.php
@@ -23,6 +23,7 @@
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\Files\IMimeTypeDetector;
+use OCP\Files\InvalidPathException;
 use OCP\IL10N;
 use OCP\IRequest;
 use OCP\Util;
@@ -133,6 +134,10 @@ public function uploadAttachment(string $token = ''): DataResponse {
 				}
 			}
 			return new DataResponse(['error' => 'No uploaded file'], Http::STATUS_BAD_REQUEST);
+		} catch (InvalidPathException $e) {
+			$this->logger->error('Upload error', ['exception' => $e]);
+			$error = $e->getMessage() ?: 'Upload error';
+			return new DataResponse(['error' => $error], Http::STATUS_BAD_REQUEST);
 		} catch (Exception $e) {
 			$this->logger->error('Upload error', ['exception' => $e]);
 			return new DataResponse(['error' => 'Upload error'], Http::STATUS_BAD_REQUEST);
diff --git a/lib/Service/AttachmentService.php b/lib/Service/AttachmentService.php
index ff273f0226..c5f45e610e 100644
--- a/lib/Service/AttachmentService.php
+++ b/lib/Service/AttachmentService.php
@@ -16,6 +16,7 @@
 use OCP\Constants;
 use OCP\Files\File;
 use OCP\Files\Folder;
+use OCP\Files\IFilenameValidator;
 use OCP\Files\IMimeTypeDetector;
 use OCP\Files\InvalidPathException;
 use OCP\Files\IRootFolder;
@@ -35,7 +36,8 @@ public function __construct(private IRootFolder $rootFolder,
 		private ShareManager $shareManager,
 		private IPreview $previewManager,
 		private IMimeTypeDetector $mimeTypeDetector,
-		private IURLGenerator $urlGenerator) {
+		private IURLGenerator $urlGenerator,
+		private IFilenameValidator $filenameValidator) {
 	}
 
 	/**
@@ -263,6 +265,7 @@ public function uploadAttachment(int $documentId, string $newFileName, $newFileR
 		}
 		$saveDir = $this->getAttachmentDirectoryForFile($textFile, true);
 		$fileName = self::getUniqueFileName($saveDir, $newFileName);
+		$this->filenameValidator->validateFilename($fileName);
 		$savedFile = $saveDir->newFile($fileName, $newFileResource);
 		return [
 			'name' => $fileName,
@@ -293,6 +296,7 @@ public function uploadAttachmentPublic(?int $documentId, string $newFileName, $n
 		$textFile = $this->getTextFilePublic($documentId, $shareToken);
 		$saveDir = $this->getAttachmentDirectoryForFile($textFile, true);
 		$fileName = self::getUniqueFileName($saveDir, $newFileName);
+		$this->filenameValidator->validateFilename($fileName);
 		$savedFile = $saveDir->newFile($fileName, $newFileResource);
 		return [
 			'name' => $fileName,
diff --git a/src/components/Editor/MediaHandler.vue b/src/components/Editor/MediaHandler.vue
index 7d919e85c7..ef9c623151 100644
--- a/src/components/Editor/MediaHandler.vue
+++ b/src/components/Editor/MediaHandler.vue
@@ -129,7 +129,11 @@ export default {
 				})
 				.catch((error) => {
 					logger.error('Uploading attachment failed', { error })
-					showError(t('text', 'Uploading attachment failed.'))
+					if (error.response?.data.error) {
+						showError(t('text', 'Uploading attachment failed: {error}', { error: error.response.data.error }))
+					} else {
+						showError(t('text', 'Uploading attachment failed.'))
+					}
 				})
 				.then(() => {
 					this.state.isUploadingAttachments = false