{{Several unserialize() calls in phpBB do not restrict allowed classes,
allowing PHP Object Injection if an attacker can write to the relevant
database tables.

Affected files:

• phpbb/notification/type/base.php
• phpbb/extension/manager.php
• phpbb/textreparser/manager.php
• includes/functions_display.php

Fix: pass ['allowed_classes' => false] to all affected unserialize() calls.}}