PTI
New Delhi
The Central Board of Secondary Education (CBSE), on Tuesday, rejected claims circulating on social media regarding the alleged compromise of its On-Screen Marking (OSM) system, stating that the portal cited in the post is a testing site and not the operational evaluation platform.
“In a post made by a user on social media, it has been claimed that the CBSE On Screen Marking (OSM) bearing URL: cbse.Onmarks.Co.In was compromised by him on 26.02.2026. This has also formed the basis for a few news articles,” CBSE said on X.
“At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post.
“The URL: cbse.Onmarks.Co.In is the testing site only with sample data for internal testing and review purposes,” it added.
The board said there are no actual evaluation data, marks or other data kept on that portal, and “no security breaches have come to light” with the portal.
On May 22, a user on social media claimed to have hacked into the CBSE’s “OSM” portal used for class 12 board exam evaluation and found critical vulnerabilities.
The user ‘Nisarga’ described himself as a cybersecurity researcher by hobby in a blog on X and claimed that he gave his class 12 exams this year.
“I had hacked CBSE’s OSM (On-Screen Marking Portal) in February and had reported the vulnerabilities to CERT-In, but they were unable to patch most of them,” he posted on X, adding that he “found another severe vulnerability in CBSE’s OSM portal.”
Speaking to a TV channel later, he claimed that he could change the teacher’s name, roll number, and bank details on the CBSE site.
“I could put marks on the answer sheet of the students,” he claimed.
Nisarga, in a blog on X, claimed that these flaws allowed logging in as any examiner using a master password leaked in the frontend, bypassing OTP entirely because validation happens in the browser, reaching any internal page without authenticating at all, and resetting any examiner’s password without knowing their current one.
He said he could act as any user across the API thanks to systemic IDOR (Insecure Direct Object Reference), and in doing so, edit marks, change examiner details, and tamper with the evaluation process.
Meanwhile, CBSE asserted that its system has safeguards for transparency and grievance redressal.
“The Board would like to state that this system has been implemented for enhanced transparency in assessments with strong grievance redressal mechanisms built into it and would reassure all concerned about the strong safeguards implemented to ensure integrity of the platform actually deployed as regards any vulnerabilities,” it said.
