diff --git a/lib/confluence-client.js b/lib/confluence-client.js
index 84802bd..7d0d41c 100644
--- a/lib/confluence-client.js
+++ b/lib/confluence-client.js
@@ -1073,10 +1073,11 @@ class ConfluenceClient {
       // so they appear as literal characters in the CDATA output
       const decodedCode = code.replace(/\n$/, '')
         .replace(/&quot;/g, '"')
-        .replace(/&amp;/g, '&')
         .replace(/&lt;/g, '<')
-        .replace(/&gt;/g, '>');
-      return `<ac:structured-macro ac:name="code"><ac:parameter ac:name="language">${language}</ac:parameter><ac:plain-text-body><![CDATA[${decodedCode}]]></ac:plain-text-body></ac:structured-macro>`;
+        .replace(/&gt;/g, '>')
+        .replace(/&amp;/g, '&');   // & last to avoid double-decoding
+      const safeCode = decodedCode.replace(/]]>/g, ']]]]><![CDATA[>');
+      return `<ac:structured-macro ac:name="code"><ac:parameter ac:name="language">${language}</ac:parameter><ac:plain-text-body><![CDATA[${safeCode}]]></ac:plain-text-body></ac:structured-macro>`;
     });
     
     // Convert inline code
diff --git a/tests/confluence-client.test.js b/tests/confluence-client.test.js
index 5f40248..3ce55ec 100644
--- a/tests/confluence-client.test.js
+++ b/tests/confluence-client.test.js
@@ -327,6 +327,16 @@ describe('ConfluenceClient', () => {
       expect(result).toContain('<td><p>Cell 1</p></td>');
     });
 
+    test('should escape CDATA terminators in code blocks', () => {
+      const markdown = '```xml\n<![CDATA[some data]]>\n```';
+      const result = client.markdownToStorage(markdown);
+
+      expect(result).toContain('<![CDATA[');
+      expect(result).toContain(']]]]><![CDATA[>');
+      // The literal ]]> from user code should not appear unescaped
+      expect(result).not.toContain('some data]]>');
+    });
+
     test('should convert links to smart link format on Cloud instances', () => {
       const markdown = '[Example Link](https://example.com)';
       const result = client.markdownToStorage(markdown);
