Summary HttpSignatureService::verifySignature() checks the result of PHP's openssl_verify() with a loose boolean negation if (!openssl_verify(...)) { throw ... }. PHP's openssl_verify has four possible return values: |…
| CVE ID | CVE-2026-52767 |
| Vendor | composer |
| Affected Product | yeswiki/yeswiki |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.2 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
HttpSignatureService::verifySignature() checks the result of PHP's openssl_verify() with a loose boolean negation - if (!openssl_verify(...)) { throw ... }. PHP's openssl_verify has four possible return values: | return | meaning | !return | | ------ | ------------------------------------------------ | --------- | | 1 | signature is valid | false | | 0 | signature is invalid | true ✓ | | -1 | the verify call itself failed (internal error) | false ❌ | | false| input rejected by PHP's argument validation | true ✓ | The -1 row is the bypass: PHP's truthiness rules make -1 a truthy value, so !(-1) === false, the throw is skipped, and the controller proceeds to processActivity(). Any condition that makes OpenSSL's EVP_VerifyFinal() return `
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.