diff --git a/reference/var/functions/unserialize.xml b/reference/var/functions/unserialize.xml
index 7eb2541b79..f0d8710145 100644
--- a/reference/var/functions/unserialize.xml
+++ b/reference/var/functions/unserialize.xml
@@ -158,6 +158,16 @@ function mycallback($classname)
E_NOTICE.
+
+
+ Do not pass untrusted user input to unserialize.
+ Unserialization can result in code being loaded and executed due to object
+ instantiation and autoloading, and a malicious user may be able to exploit
+ this. Use a safe, standard data interchange format such as JSON (via
+ json_decode and json_encode) if
+ you need to pass serialized data to the user.
+
+