diff --git a/application/Espo/Core/MassAction/Params.php b/application/Espo/Core/MassAction/Params.php
index 1d60ecd41b..54514a5db4 100644
--- a/application/Espo/Core/MassAction/Params.php
+++ b/application/Espo/Core/MassAction/Params.php
@@ -208,6 +208,21 @@ class Params
     {
         $this->entityType = $data['entityType'];
         $this->ids = $data['ids'];
-        $this->searchParams = unserialize($data['searchParams']);
+        $this->searchParams = unserialize($data['searchParams'], [
+            'allowed_classes' => [SearchParams::class],
+        ]);
+    }
+
+    /**
+     * @internal
+     */
+    public static function fromSerializedRaw(string $raw): self
+    {
+        /** @var Params $params */
+        $params = unserialize(base64_decode($raw), [
+            'allowed_classes' => [Params::class],
+        ]);
+
+        return $params;
     }
 }
diff --git a/application/Espo/Entities/Export.php b/application/Espo/Entities/Export.php
index 77d43ad6cf..e98e8a6df0 100644
--- a/application/Espo/Entities/Export.php
+++ b/application/Espo/Entities/Export.php
@@ -52,10 +52,7 @@ class Export extends Entity
             throw new RuntimeException("No 'params'.");
         }
 
-        /** @var Params $params */
-        $params = unserialize(base64_decode($raw));
-
-        return $params;
+        return Params::fromSerializedRaw($raw);
     }
 
     public function getStatus(): string
diff --git a/application/Espo/Entities/MassAction.php b/application/Espo/Entities/MassAction.php
index 3436a4c7c2..629c625411 100644
--- a/application/Espo/Entities/MassAction.php
+++ b/application/Espo/Entities/MassAction.php
@@ -37,6 +37,7 @@ use Espo\Core\Field\Link;
 use Espo\Core\MassAction\Data;
 use Espo\Core\MassAction\Params;
 
+use Espo\Core\Select\SearchParams;
 use RuntimeException;
 
 use stdClass;
@@ -61,10 +62,7 @@ class MassAction extends Entity
             throw new RuntimeException("No 'params'.");
         }
 
-        /** @var Params $params */
-        $params = unserialize(base64_decode($raw));
-
-        return $params;
+        return Params::fromSerializedRaw($raw);
     }
 
     public function getData(): Data
diff --git a/application/Espo/Tools/Export/Params.php b/application/Espo/Tools/Export/Params.php
index 7f3629e3a3..243194ad79 100644
--- a/application/Espo/Tools/Export/Params.php
+++ b/application/Espo/Tools/Export/Params.php
@@ -321,4 +321,17 @@ class Params
     {
         return $this->applyAccessControl;
     }
+
+    /**
+     * @internal
+     */
+    public static function fromSerializedRaw(string $raw): self
+    {
+        /** @var Params $params */
+        $params = unserialize(base64_decode($raw), [
+            'allowed_classes' => [Params::class],
+        ]);
+
+        return $params;
+    }
 }
diff --git a/tests/unit/Espo/Core/MassAction/ParamsTest.php b/tests/unit/Espo/Core/MassAction/ParamsTest.php
index e975261413..fe493f1fce 100644
--- a/tests/unit/Espo/Core/MassAction/ParamsTest.php
+++ b/tests/unit/Espo/Core/MassAction/ParamsTest.php
@@ -172,8 +172,7 @@ class ParamsTest extends \PHPUnit\Framework\TestCase
             'Test'
         );
 
-        /** @var Params $params2 */
-        $params2 = unserialize(serialize($params1));
+        $params2 = Params::fromSerializedRaw(base64_encode(serialize($params1)));
 
         $this->assertEquals($params1, $params2);
 
diff --git a/tests/unit/Espo/Tools/Export/ParamsTest.php b/tests/unit/Espo/Tools/Export/ParamsTest.php
new file mode 100644
index 0000000000..d4240510a7
--- /dev/null
+++ b/tests/unit/Espo/Tools/Export/ParamsTest.php
@@ -0,0 +1,45 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2026 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace tests\unit\Espo\Tools\Export;
+
+use Espo\Tools\Export\Params;
+use PHPUnit\Framework\TestCase;
+
+class ParamsTest extends TestCase
+{
+    public function testSerialize(): void
+    {
+        $params = new Params('Test');
+
+        $params = Params::fromSerializedRaw(base64_encode(serialize($params)));
+
+        $this->assertEquals('Test', $params->getEntityType());
+    }
+}