diff --git a/NEWS b/NEWS
index 993bdda130cd9..986783ce042d3 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,11 @@ PHP                                                                        NEWS
   . Fixed bug GH-20051 (apache2 shutdowns when restart is requested during
     preloading). (Arnaud, welcomycozyhom)
 
+- Phar:
+  . Support reference values in Phar::mungServer(). (nielsdos)
+  . Invalid values now throw in Phar::mungServer() instead of being silently
+    ignored. (nielsdos)
+
 - Standard:
   . Fixed bug GH-19926 (reset internal pointer earlier while splicing array
     while COW violation flag is still set). (alexandre-daubois)
diff --git a/UPGRADING b/UPGRADING
index b9095380ed538..4b166bb5af463 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -19,6 +19,10 @@ PHP 8.6 UPGRADE NOTES
 1. Backward Incompatible Changes
 ========================================
 
+- Phar:
+  . Invalid values now throw in Phar::mungServer() instead of being silently
+    ignored.
+
 ========================================
 2. New Features
 ========================================
@@ -44,6 +48,9 @@ PHP 8.6 UPGRADE NOTES
 5. Changed Functions
 ========================================
 
+- Phar:
+  . Phar::mungServer() now supports reference values.
+
 ========================================
 6. New Functions
 ========================================
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 5b2c34672f3b0..df741ef255d4a 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3605,7 +3605,7 @@ PHP_FUNCTION(imagefilter)
 	zval *tmp;
 
 	typedef void (*image_filter)(INTERNAL_FUNCTION_PARAMETERS);
-	zend_long filtertype;
+	zend_long filtertype = 0;
 	image_filter filters[] =
 	{
 		php_image_filter_negate ,
@@ -3623,9 +3623,9 @@ PHP_FUNCTION(imagefilter)
 		php_image_filter_scatter
 	};
 
-	if (ZEND_NUM_ARGS() < 2 || ZEND_NUM_ARGS() > IMAGE_FILTER_MAX_ARGS) {
-		WRONG_PARAM_COUNT;
-	} else if (zend_parse_parameters(2, "Ol", &tmp, gd_image_ce, &filtertype) == FAILURE) {
+	/* We need to do some initial ZPP parsing to be able to extract the filter value */
+	if (zend_parse_parameters(MIN(2, ZEND_NUM_ARGS()), "Ol*", &tmp, gd_image_ce, &filtertype) == FAILURE) {
+
 		RETURN_THROWS();
 	}
 
diff --git a/ext/gd/tests/imagefilter_error1.phpt b/ext/gd/tests/imagefilter_error1.phpt
index 6e2ccabb874a8..cc9904e320dac 100644
--- a/ext/gd/tests/imagefilter_error1.phpt
+++ b/ext/gd/tests/imagefilter_error1.phpt
@@ -14,6 +14,12 @@ try {
 } catch (TypeError $e) {
     echo $e->getMessage(), "\n";
 }
+try {
+    var_dump(imagefilter(20, 1));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
 ?>
 --EXPECT--
-Wrong parameter count for imagefilter()
+imagefilter() expects at least 2 arguments, 1 given
+imagefilter(): Argument #1 ($image) must be of type GdImage, int given
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 6d5d39604197d..2ea701743f9ff 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -903,7 +903,7 @@ PHP_METHOD(Phar, mungServer)
 	phar_request_initialize();
 
 	ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(mungvalues), data) {
-
+		ZVAL_DEREF(data);
 		if (Z_TYPE_P(data) != IS_STRING) {
 			zend_throw_exception_ex(phar_ce_PharException, 0, "Non-string value passed to Phar::mungServer(), expecting an array of any of these strings: PHP_SELF, REQUEST_URI, SCRIPT_FILENAME, SCRIPT_NAME");
 			RETURN_THROWS();
@@ -917,8 +917,10 @@ PHP_METHOD(Phar, mungServer)
 			PHAR_G(phar_SERVER_mung_list) |= PHAR_MUNG_SCRIPT_NAME;
 		} else if (zend_string_equals_literal(Z_STR_P(data), "SCRIPT_FILENAME")) {
 			PHAR_G(phar_SERVER_mung_list) |= PHAR_MUNG_SCRIPT_FILENAME;
+		} else {
+			zend_throw_exception_ex(phar_ce_PharException, 0, "Invalid value passed to Phar::mungServer(), expecting an array of any of these strings: PHP_SELF, REQUEST_URI, SCRIPT_FILENAME, SCRIPT_NAME");
+			RETURN_THROWS();
 		}
-		// TODO Warning for invalid value?
 	} ZEND_HASH_FOREACH_END();
 }
 /* }}} */
@@ -1781,6 +1783,10 @@ PHP_METHOD(Phar, buildFromDirectory)
 	pass.ret = return_value;
 	pass.fp = php_stream_fopen_tmpfile();
 	if (pass.fp == NULL) {
+		zval_ptr_dtor(&iteriter);
+		if (apply_reg) {
+			zval_ptr_dtor(&regexiter);
+		}
 		zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" unable to create temporary file", phar_obj->archive->fname);
 		RETURN_THROWS();
 	}
diff --git a/ext/phar/tests/invalid_string_phar_mungserver.phpt b/ext/phar/tests/invalid_string_phar_mungserver.phpt
new file mode 100644
index 0000000000000..46de113f6c087
--- /dev/null
+++ b/ext/phar/tests/invalid_string_phar_mungserver.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Passing invalid string to Phar::mungServer()
+--FILE--
+<?php
+
+$str = 'invalid';
+try {
+    Phar::mungServer([&$str]);
+} catch (PharException $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Invalid value passed to Phar::mungServer(), expecting an array of any of these strings: PHP_SELF, REQUEST_URI, SCRIPT_FILENAME, SCRIPT_NAME
diff --git a/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt b/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt
new file mode 100644
index 0000000000000..6a24a0137526c
--- /dev/null
+++ b/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Shm corruption with coercion in options of unserialize()
+--FILE--
+<?php
+class MyStringable {
+    public function __toString(): string {
+        return "0";
+    }
+}
+
+unserialize("{}", ["allowed_classes" => [new MyStringable]]);
+?>
+--EXPECTF--
+Warning: unserialize(): Error at offset 0 of 2 bytes in %s on line %d
diff --git a/ext/standard/var.c b/ext/standard/var.c
index 4df86f49434a0..a1ef60410a338 100644
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@@ -1415,19 +1415,20 @@ PHPAPI void php_unserialize_with_options(zval *return_value, const char *buf, co
 						function_name, zend_zval_value_name(entry));
 					goto cleanup;
 				}
-				zend_string *name = zval_try_get_string(entry);
+				zend_string *tmp_str;
+				zend_string *name = zval_try_get_tmp_string(entry, &tmp_str);
 				if (UNEXPECTED(name == NULL)) {
 					goto cleanup;
 				}
 				if (UNEXPECTED(!zend_is_valid_class_name(name))) {
 					zend_value_error("%s(): Option \"allowed_classes\" must be an array of class names, \"%s\" given", function_name, ZSTR_VAL(name));
-					zend_string_release_ex(name, false);
+					zend_tmp_string_release(tmp_str);
 					goto cleanup;
 				}
 				zend_string *lcname = zend_string_tolower(name);
 				zend_hash_add_empty_element(class_hash, lcname);
-		        zend_string_release_ex(name, false);
 		        zend_string_release_ex(lcname, false);
+		        zend_tmp_string_release(tmp_str);
 			} ZEND_HASH_FOREACH_END();
 		}
 		php_var_unserialize_set_allowed_classes(var_hash, class_hash);