CBSE Clarifies ‘Compromised’ OSM Portal Mentioned In Hacking Claim Was Only Testing Site

Last Updated:May 26, 2026, 8:44 PM IST

The CBSE’s response came after a 19-year-old hacker claimed to have hacked its OSM portal, responsible for evaluating and processing results for students.

Students check the seating plan on a notice board before appearing for the Central Board of Secondary Education Class 10 examination, in Prayagraj. (IMAGE: PTI)

The Central Board of Secondary Education (CBSE) responded to reports of a 19-year-old man hacking its On-Screen Marking (OSM) portal, saying it was a testing site loaded with only sample data for internal testing purposes.

The response came after the CBSE faced widespread backlash after a 19-year-old self-taught hacker claimed to have hacked its OSM portal responsible for evaluating and processing results of over two million Class 12 students.

Nisarga Adhikary said there were multiple security flaws in the system, about which he had notified authorities three months ago. However, only partial fixes were implemented. The CBSE website was taken offline entirely on Tuesday, triggering massive online outrage against the national examination body.

In response to the hacking claim, the CBSE clarified that the URL allegedly compromised by the hacker was cbse.onmarks.co.in, which is only a testing site with sample data for internal review purposes.

“At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post,” the CBSE said.

“The URL: http://cbse.onmarks.co.in is the testing site only with sample data for internal testing and review purposes. There are no actual evaluation data, marks or other data held on that portal. The Board emphasises that no security breaches have come to light on the Portal deployed for the actual evaluation work.”

The Board also stressed that the system was implemented for enhanced transparency in assessments and assured that all strong safeguards are being implemented to ensure the integrity of the platform actually deployed.

Vulnerabilities In CBSE Portal?

In a detailed blog post on his website, Nisarga Adhikary said he discovered multiple critical vulnerabilities inside the portal, and he was able to log in as any examiner using a master password leaked on the frontend. “Anyone exploiting these could also tamper with or disrupt the grading process, which directly threatens the integrity of the exam evaluations,” he said.

“The login page asks for three things: a user ID, a school code, and a password, followed by an OTP step. Nothing about that screen looks unusual. The problems only showed up once I stopped looking at the page and started looking at the code behind it,” Adhikary said, listing several cybersecurity mistakes.

He said he found a hardcoded “master password” in a publicly accessible JavaScript bundle that anyone could download. When this master password was entered into the login form, the app automatically filled the OTP field and bypassed the normal authentication flow entirely, Adhikary pointed out.

The issue gained attention after tech investor and prominent X voice Deedy Das called it “an absolute embarrassment” and said the futures and lives of millions rest in the hands of the “utterly incompetent”.

Read More