NEW DELHI: Even as the Central Board of Secondary Education (CBSE) continues facing criticism over answer sheet mix-ups, portal crashes and payment glitches in the Class 12 post-result process, a fresh controversy has now emerged around the security of its newly introduced On-Screen Marking (OSM) system.A 19-year-old cybersecurity researcher, Nisarga Adhikary, has alleged that he discovered multiple critical vulnerabilities in CBSE’s OSM portal that could potentially allow unauthorised access to examiner accounts, password resets and even modification of students’ marks. The claims, published in a detailed technical blog post and amplified widely on X, have triggered fresh concerns over the board’s digital preparedness after weeks of complaints from students over mismatched answer sheets, blurred scans and evaluation discrepancies.Teen researcher details alleged flaws in CBSE evaluation portalIn his blog titled “Exposing Critical Vulnerabilities in CBSE’s On-Screen Marking Portal”, Adhikary claimed he discovered the issues on February 25 and reported them to CERT-In before making them public.“I was able to log in as an examiner and reach the evaluation dashboard, where I could view and edit marks,” he wrote.According to the blog, the alleged vulnerabilities included a “hardcoded master password” visible inside the portal’s JavaScript bundle, client-side OTP validation, missing route protections, password reset flaws and what he described as a “systemic IDOR vulnerability”.
“One of the hardest things was not exploitation,” he wrote, “The hardest part was reading a JavaScript file and editing a couple of values in DevTools.”Adhikary also alleged that OTP verification was effectively meaningless because “the browser grades its own test”.“A security control that runs on the attacker’s machine isn’t a control at all,” he wrote.Claims surface amid growing scrutiny of OSM rolloutThe controversy comes days after CBSE admitted that a Delhi student, Vedant Shrivastava, had received another student’s Physics answer sheet under his roll number due to a technical error in the OSM-linked scanning process.The board later acknowledged the mistake and sent the correct answer sheet to the student.The OSM system was introduced for Class 12 evaluations this year as part of CBSE’s push towards digital assessment and faster post-result processing.Software engineer Deedy Das, reacting to Adhikary’s findings on X, wrote: “A 19-year old broke into India’s largest high school examination system of 2M+ students a year, the CBSE, and was able to view and CHANGE any students’ marks.”Das added that the researcher had responsibly disclosed the vulnerabilities months earlier and claimed “not much has changed” despite previous warnings about similar flaws in CBSE systems.CERT-In informed, website later taken offlineAdhikary said he reported the vulnerabilities to CERT-In and received an acknowledgement reference number. According to his blog, only some issues were fixed initially.“Most of the vulnerabilities I reported went unpatched for a long time,” he wrote.Soon after the claims gained traction online, the OSM portal became inaccessible temporarily, with users reporting that the website had been taken offline.Disclaimer: The claims regarding vulnerabilities in CBSE’s On-Screen Marking (OSM) portal are based on statements made by cybersecurity researcher Nisarga Adhikary and publicly available information. CBSE has not officially confirmed the extent or impact of the alleged security flaws at the time of publication. CBSE and CERT-In responses, if any, will be updated as they become available.