Commit b14702a3555 for php.net

commit b14702a3555a4219e47ea59eab1b13295bee6721
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date:   Sun May 31 09:50:07 2026 +0200

    [skip ci] Specify unserialize() in security policy (GH-22184)

    unserialize() may not receive attacker-controlled inputs according to our
    documentation. This is technically already included in the second bullet point,
    but common enough to be spelled out.

diff --git a/SECURITY.md b/SECURITY.md
index 8a45d86049e..24801b3b4e4 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -34,6 +34,8 @@ are not limited to):

 - `open_basedir` or `disable_functions` bypasses.

+- Malicious `unserialize()` inputs.
+
 # Vulnerability Policy

 Our full policy is described at