fix: ensure csrf token is string

system/Security/Security.php

@@ -307,6 +307,10 @@ private function getPostedToken(RequestInterface $request): ?string
         // Does the token exist in POST, HEADER or optionally php:://input - json data or PUT, DELETE, PATCH - raw data.
 
         if ($tokenValue = $request->getPost($this->config->tokenName)) {
+            if (! is_string($tokenValue)) {
+                return null;
+            }
+
             return $tokenValue;
         }