diff --git a/reference/var/functions/unserialize.xml b/reference/var/functions/unserialize.xml
index 7eb2541b79..f0d8710145 100644
--- a/reference/var/functions/unserialize.xml
+++ b/reference/var/functions/unserialize.xml
@@ -158,6 +158,16 @@ function mycallback($classname)
     <constant>E_NOTICE</constant>.
    </para>
   </warning>
+  <warning>
+   <para>
+    Do not pass untrusted user input to <function>unserialize</function>.
+    Unserialization can result in code being loaded and executed due to object
+    instantiation and autoloading, and a malicious user may be able to exploit
+    this. Use a safe, standard data interchange format such as JSON (via
+    <function>json_decode</function> and <function>json_encode</function>) if
+    you need to pass serialized data to the user.
+   </para>
+  </warning>
  </refsect1>
 
  <refsect1 role="seealso">