diff --git a/apps/dav/lib/DAV/CustomPropertiesBackend.php b/apps/dav/lib/DAV/CustomPropertiesBackend.php
index dc207d178803f..a0e99233e1164 100644
--- a/apps/dav/lib/DAV/CustomPropertiesBackend.php
+++ b/apps/dav/lib/DAV/CustomPropertiesBackend.php
@@ -566,6 +566,18 @@ private function formatPath(string $path): string {
 		return $path;
 	}
 
+	private static function checkIsArrayOfScalar(string $name, array $array): void {
+		foreach ($array as $item) {
+			if (is_array($item)) {
+				self::checkIsArrayOfScalar($name, $item);
+			} elseif ($item !== null && !is_scalar($item)) {
+				throw new DavException(
+					"Property \"$name\" has an invalid value of array containing " . gettype($item),
+				);
+			}
+		}
+	}
+
 	/**
 	 * @throws ParseException If parsing a \Sabre\DAV\Xml\Property\Complex value fails
 	 * @throws DavException If the property value is invalid
@@ -600,6 +612,23 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value
 			$valueType = self::PROPERTY_TYPE_HREF;
 			$value = $value->getHref();
 		} else {
+			if (is_array($value)) {
+				// For array only allow scalar values
+				self::checkIsArrayOfScalar($name, $value);
+			} elseif (!is_object($value)) {
+				throw new DavException(
+					"Property \"$name\" has an invalid value of type " . gettype($value),
+				);
+			} else {
+				if (!str_starts_with($value::class, 'Sabre\\DAV\\Xml\\Property\\')
+					&& !str_starts_with($value::class, 'Sabre\\CalDAV\\Xml\\Property\\')
+					&& !str_starts_with($value::class, 'Sabre\\CardDAV\\Xml\\Property\\')
+					&& !str_starts_with($value::class, 'OCA\\DAV\\')) {
+					throw new DavException(
+						"Property \"$name\" has an invalid value of class " . $value::class,
+					);
+				}
+			}
 			$valueType = self::PROPERTY_TYPE_OBJECT;
 			// serialize produces null character
 			// these can not be properly stored in some databases and need to be replaced
@@ -612,13 +641,24 @@ private function encodeValueForDatabase(string $path, string $name, mixed $value
 	 * @return mixed|Complex|string
 	 */
 	private function decodeValueFromDatabase(string $value, int $valueType): mixed {
-		return match ($valueType) {
-			self::PROPERTY_TYPE_XML => new Complex($value),
-			self::PROPERTY_TYPE_HREF => new Href($value),
-			// some databases can not handel null characters, these are custom encoded during serialization
-			// this custom encoding needs to be first reversed before unserializing
-			self::PROPERTY_TYPE_OBJECT => unserialize(str_replace('\x00', chr(0), $value)),
-			default => $value,
+		switch ($valueType) {
+			case self::PROPERTY_TYPE_XML:
+				return new Complex($value);
+			case self::PROPERTY_TYPE_HREF:
+				return new Href($value);
+			case self::PROPERTY_TYPE_OBJECT:
+				if (preg_match('/^a:/', $value)) {
+					// Array, unserialize only scalar values
+					return unserialize(str_replace('\x00', chr(0), $value), ['allowed_classes' => false]);
+				}
+				if (!preg_match('/^O\:\d+\:\"(OCA\\\\DAV\\\\|Sabre\\\\(Cal|Card)?DAV\\\\Xml\\\\Property\\\\)/', $value)) {
+					throw new \LogicException('Found an object class serialized in DB that is not allowed');
+				}
+				// some databases can not handel null characters, these are custom encoded during serialization
+				// this custom encoding needs to be first reversed before unserializing
+				return unserialize(str_replace('\x00', chr(0), $value));
+			default:
+				return $value;
 		};
 	}