New Delhi: Nisarga Adhikary was just curious when CBSE announced the newly launched On-Screen Marking system, where examiners assess scanned copies of answer sheets on a computer instead of on paper. The 19-year-old ethical hacker went to the website’s code and found numerous flaws that could allow anyone with basic technical knowledge to bypass OTP authentication, impersonate examiners, reset passwords, and even alter marks scored by students.
“It took me less than an hour to find all the vulnerabilities inside the system. Anyone can impersonate any examiner to their choice. The access control is totally broken,” Adhikary, a Class-12 student, said. “I could change the marks. There is no OTP security, anyone can change the password”.
It was pure curiosity that drew him to “play around” with the portal and he claims it was very easy for him to do.
“It was one of the easiest hacks of my life. You don’t even need to know programming, you just need to know control point F and need to know the logic. That was the master vulnerability,” Adhikary, a resident of West Bengal, added.
The glitches in the OSM system have been flagged by students after the results were announced. Students have complained about the many irregularities in the new system introduced by the CBSE this year. The overall result has also witnessed a dip and many students complained of scoring low marks. Many asked for the scanned answer sheets and found that the copy they submitted was missing or, in many cases, the handwriting was different.
With Adhikary’s claim, the situation has become more serious. Union Education Minister Dharmendra Pradhan has asked senior officials to look into the glitches.
“Student interests remain paramount, and all corrective measures must be undertaken by CBSE on priority to ensure a transparent, efficient and student-friendly system,” said Pradhan in a statement on 24 May.
He also directed CBSE to urgently address glitches in the post-result process and strengthen the portal’s digital infrastructure with the help of IIT experts and public sector banks.
The CBSE, however, denied that its OSM portal was hacked, issuing a detailed clarification on X on Tuesday.
“It is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post,” CBSE wrote in response to Adhikary‘s claims.
Clarification Regarding Claim of Compromise of CBSE OSM Portal
In a post made by a user on social media, it has been claimed that the CBSE On Screen Marking (OSM) bearing URL: https://t.co/lwAeAFWwo1 was compromised by him on 26.02.2026. This has also formed the basis for a few…
— CBSE HQ (@cbseindia29) May 26, 2026
It added that the URL, which Adhikary‘s claimed had flaws, was “the testing site only with sample data for internal testing and review purposes.”
“There are no actual evaluation data, marks or other data held on that portal. The Board emphasises that no security breaches have come to light on the Portal deployed for the actual evaluation work,” the post read.
Replying to CBSE’s clarification, Adhikary claimed that the URL in CBSE’s post was “not even a real domain“, and that it was directing users to his blog.
The flaws
After discovering the vulnerabilities, Adhikary sent emails to multiple authorities, including the Indian Computer Emergency Response Team (CERT-In) and other government-linked cybersecurity contacts, but did not receive satisfactory response.
“It’s very disrespectful, to be honest, to not get a response after following up several times. There are companies who take lakhs of rupees to do this kind of audits and I’m doing it for free just to help them — and they’re not responding. That’s just arrogance and negligence from their side,” he added.
For the next three days, the portal was down and Adhikary claimed that during the time, only one glitch had been fixed. The teen flagged six high-severity vulnerabilities that were still present on the site, including one on the master password.
A “master password” flaw means the website had a secret universal password hidden inside its code. If someone found that password, they could log in as any examiner without needing the OTP sent to the teacher’s phone.
Adhikary claims that the OTP verification happened on users’ browser itself instead of the server. It means that anyone inspecting the website could see the OTP and bypass the security check.
“The OTP was coming to the browser and the browser was validating it. That is really insecure. Anyone who accesses the browser can read the OTP and access it,” said Adhikary.
He also said that anyone can create a new password without entering the old password, and that examiner identities can be manually edited through browser storage values, allowing someone to impersonate teachers, access their details, and potentially alter marks or evaluation records.
“To reset passwords, you generally need the old password and the new password. But it wasn’t even sending the old password to the server. Anyone could just enter a user ID, type any gibberish old password and set a new one,” Adhikary added.
Also read: Class XII student in shock seeing his low score. CBSE mixed up his answer sheet
‘Playing around’
Adhikary recently completed Class 12 and describes himself as a hobbyist cybersecurity researcher who has previously worked on bug bounty and vulnerability-hunting projects.
The West Bengal native studied in Delhi for a few years and built cybersecurity tools as well. He claims to have been involved in ethical hacking and security testing for several years.
“I used to do ethical hacking for a while and thought it would be good if I could play around and find bugs in it,” he told ThePrint.
Adhikary said he initially chose not to make the vulnerabilities public and instead reported them to CERT-In, before posting anything online. After receiving no response from agencies regarding his findings for months, Adhikary wrote a blog.
He shared screen recordings, technical details, and demonstrations of the flaws, including the alleged OTP bypass and password-reset vulnerabilities. His post went viral, the CBSE platforms went down. The flaws still remain.
“They just took down all the portals last night after my tweet went viral. They didn’t fix it… I don’t believe there were things wrong with the portal—it’s clearly visible,” he wrote in his blog.
Adhikary also claimed that anyone can tamper or disrupt the grading process, which directly threatens the integrity of the exam evaluations.
“None of this required sophisticated exploitation. The hardest part was reading a JavaScript file and editing a couple of values in DevTools,” he wrote.
(Edited by Aamaan Alam Khan)