104 - VID_INTERESTING_LANGUAGE_PHP_SERIALIZATION_ON_USER_CONTROLLED_DATA

Deserialization is not automatically exploitable in PHP. It can be exploitable if the functionality allows code paths that were not foreseen. This can happen when developers do not forsee that forged objects could be offered for deserialization.

php $sess_data = @unserialize($_COOKIE["$sess_cookie"]);

Links:

https://medium.com/swlh/exploiting-php-deserialization-56d71f03282a (Exploiting PHP deserialization)