diff --git a/typo3/sysext/impexp/Classes/Domain/Repository/PresetRepository.php b/typo3/sysext/impexp/Classes/Domain/Repository/PresetRepository.php
index 9229e656e05098fb6886e5d38326a2a446fe7959..bfa3b3da85d918716bd066b8c66c10fb3fac9259 100644
--- a/typo3/sysext/impexp/Classes/Domain/Repository/PresetRepository.php
+++ b/typo3/sysext/impexp/Classes/Domain/Repository/PresetRepository.php
@@ -123,7 +123,7 @@ class PresetRepository
             $preset = $this->getPreset($presetData['select']);
             if (is_array($preset)) {
                 // Update existing
-                $inData_temp = unserialize($preset['preset_data']);
+                $inData_temp = unserialize($preset['preset_data'], ['allowed_classes' => false]);
                 if (is_array($inData_temp)) {
                     if (isset($presetData['merge'])) {
                         // Merge records in:
diff --git a/typo3/sysext/impexp/Classes/Import.php b/typo3/sysext/impexp/Classes/Import.php
index ef985cf0fd0e723cc6440ad5fc17f8cbf910a74b..ce53dd4a04a1b50c1a466b31e7b6c52e5b03d1b4 100644
--- a/typo3/sysext/impexp/Classes/Import.php
+++ b/typo3/sysext/impexp/Classes/Import.php
@@ -1749,7 +1749,7 @@ class Import extends ImportExport
                     return null;
                 }
             }
-            return $unserialize ? unserialize($datString) : $datString;
+            return $unserialize ? unserialize($datString, ['allowed_classes' => false]) : $datString;
         } else {
             $this->error('MD5 check failed (' . $name . ')');
         }
@@ -1798,7 +1798,7 @@ class Import extends ImportExport
             if ($initStrDat[1]) {
                 if ($this->compress) {
                     $datString = gzuncompress($datString);
-                    return $unserialize ? unserialize($datString) : $datString;
+                    return $unserialize ? unserialize($datString, ['allowed_classes' => false]) : $datString;
                 } else {
                     $this->error('Content read error: This file requires decompression, but this server does not offer gzcompress()/gzuncompress() functions.');
                 }
diff --git a/typo3/sysext/impexp/Classes/Task/ImportExportTask.php b/typo3/sysext/impexp/Classes/Task/ImportExportTask.php
index 249aca383accc2df1bc945c57f0ad7951a173094..ab743f3d67570b53674b5cf2524e564e8a3ac347 100644
--- a/typo3/sysext/impexp/Classes/Task/ImportExportTask.php
+++ b/typo3/sysext/impexp/Classes/Task/ImportExportTask.php
@@ -107,7 +107,7 @@ class ImportExportTask implements TaskInterface
             if (is_array($presets) && !empty($presets)) {
                 $lines = [];
                 foreach ($presets as $key => $presetCfg) {
-                    $configuration = unserialize($presetCfg['preset_data']);
+                    $configuration = unserialize($presetCfg['preset_data'], ['allowed_classes' => false]);
                     $title = strlen($presetCfg['title']) ? $presetCfg['title'] : '[' . $presetCfg['uid'] . ']';
                     $icon = 'EXT:impexp/Resources/Public/Images/export.gif';
                     $description = array();
diff --git a/typo3/sysext/impexp/Classes/View/ExportPageTreeView.php b/typo3/sysext/impexp/Classes/View/ExportPageTreeView.php
index 96abce9e975c693832c5085e155745c2473d0267..027baba1aee7d3b9e4428644559b60e3ee0af0f3 100644
--- a/typo3/sysext/impexp/Classes/View/ExportPageTreeView.php
+++ b/typo3/sysext/impexp/Classes/View/ExportPageTreeView.php
@@ -86,7 +86,7 @@ class ExportPageTreeView extends BrowseTreeView
         // Initialize:
         $this->init(' AND ' . $this->BE_USER->getPagePermsClause(1) . $clause);
         // Get stored tree structure:
-        $this->stored = unserialize($this->BE_USER->uc['browseTrees']['browsePages']);
+        $this->stored = unserialize($this->BE_USER->uc['browseTrees']['browsePages'], ['allowed_classes' => false]);
         $treeArr = array();
         $idx = 0;
         // Set first: