The Central Board of Secondary Education (CBSE) on Tuesday rejected claims circulating on social media regarding the alleged compromise of its On-Screen Marking (OSM) system, stating that the portal cited in the post is a testing site and not the operational evaluation platform.
"In a post made by a user on social media, it has been claimed that the CBSE On Screen Marking (OSM) bearing URL: cbse.onmarks.co.in was compromised by him on 26.02.2026. This has also formed the basis for a few news articles," CBSE said in a statement on X.
"At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post.
"The URL: cbse.onmarks.co.in is the testing site only with sample data for internal testing and review purposes," it added.
The board said there are no actual evaluation data, marks or other data kept on that portal, and "no security breaches have come to light."
On May 22, a user on social media claimed he had hacked into the CBSE's "OSM" portal used for class 12 board exam evaluation and found critical vulnerabilities.
The user 'Nisarga' described himself as a cybersecurity researcher by hobby in a blog on X and claimed that he gave his class 12 exams this year.
"I had hacked CBSE's OSM (On-Screen Marking Portal) in February and had reported the vulnerabilities to CERT-In, but they were unable to patch most of them," he posted on X, adding that he "found another severe vulnerability in CBSE's OSM portal."
Speaking to a TV channel later, he claimed that he could change the teacher's name, roll number, and bank details on the CBSE site.
"I could put marks on the answer sheet of the students," he claimed.
Nisarga, in a blog on X, claimed that these flaws allowed logging in as any examiner using a master password leaked in the frontend, bypassing OTP entirely because validation happens in the browser, reaching any internal page without authenticating at all, and resetting any examiner's password without knowing their current one.
He said he could act as any user across the API thanks to systemic IDOR (Insecure Direct Object Reference), and in doing so, edit marks, change examiner details, and tamper with the evaluation process.
Meanwhile, CBSE asserted that its system has safeguards for transparency and grievance redressal.
"The Board would like to state that this system has been implemented for enhanced transparency in assessments with strong grievance redressal mechanisms built into it and would reassure all concerned about the strong safeguards implemented to ensure integrity of the platform actually deployed as regards any vulnerabilities," it said.
Later, the board issued a follow-up statement on X after users there pointed out that the URL mentioned in its earlier post was incorrectly formatted and was redirecting to the blog of the individual who had made the hacking claim.
The board said that the earlier reference contained a typographical error, where an extra "s" had been inadvertently included in the URL, and has now reissued the post with the corrected link.
"In the previous post, the URL had an extra 's' inadvertently. So, the post has been reissued with the correct URL: http://cbse.onmark.co.in," the board said.
When checked, the latest link provided in the statement gave a "502 Bad Gateway" error.