CBSE Rejects Student’s OSM Portal Hacking Claim, Issues Clarification Over Incorrect URL

New Delhi: The Central Board of Secondary Education (CBSE) on Tuesday rejected claims circulating on social media regarding the alleged compromise of its On-Screen Marking (OSM) system, stating that the portal cited in the post is a testing site and not the operational evaluation platform.

"In a post made by a user on social media, it has been claimed that the CBSE On Screen Marking (OSM) bearing URL: cbse.onmarks.co.in was compromised by him on 26.02.2026. This has also formed the basis for a few news articles," CBSE said in a statement on X.

Clarification Regarding Claim of Compromise of CBSE OSM Portal

In a post made by a user on social media, it has been claimed that the CBSE On Screen Marking (OSM) bearing URL: https://t.co/cuLrvsxzOH was compromised by him on 26.02.2026. This has also formed the basis for a few…

— CBSE HQ (@cbseindia29) May 26, 2026

ALSO READ: CBSE Re-Evaluation Portal Glitch: Govt Brings In PSU Banks, IIT Experts To Fix Payment Gateway Issues

"At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post.

"The URL: cbse.onmarks.co.in is the testing site only with sample data for internal testing and review purposes," it added.

The board said there are no actual evaluation data, marks or other data kept on that portal, and "no security breaches have come to light." On May 22, a user on social media claimed he had hacked into the CBSE's "OSM" portal used for class 12 board exam evaluation and found critical vulnerabilities.

Class 12 Student Claims To Have Hacked CBSE’s OSM Portal

The user ‘Nisarga’ described himself as a cybersecurity researcher by hobby in a blog on X and claimed that he gave his Class 12 exams this year.

“I had hacked CBSE's OSM (On-Screen Marking Portal) in February and had reported the vulnerabilities to CERT-In, but they were unable to patch most of them,” he posted on X, adding that he “found another severe vulnerability in CBSE's OSM portal.”

Hacker Alleges Ability To Change Marks And Examiner Details

Speaking to a TV channel later, he claimed that he could change the teacher's name, roll number, and bank details on the CBSE site.

“I could put marks on the answer sheet of the students,” he claimed.

Nisarga, in a blog on X, claimed that these flaws allowed logging in as any examiner using a master password leaked in the frontend, bypassing OTP entirely because validation happens in the browser, reaching any internal page without authenticating at all, and resetting any examiner's password without knowing their current one.

Claims Of Security Flaws Raise Concerns Over Evaluation Process

He said he could act as any user across the API thanks to systemic IDOR (Insecure Direct Object Reference), and in doing so, edit marks, change examiner details, and tamper with the evaluation process.

Meanwhile, CBSE asserted that its system has safeguards for transparency and grievance redressal.

“The Board would like to state that this system has been implemented for enhanced transparency in assessments with strong grievance redressal mechanisms built into it and would reassure all concerned about the strong safeguards implemented to ensure integrity of the platform actually deployed as regards any vulnerabilities,” it said.

CBSE Issues Clarification Over Incorrect URL In X Post

Later, the board issued a follow-up statement on X after users there pointed out that the URL mentioned in its earlier post was incorrectly formatted and was redirecting to the blog of the individual who had made the hacking claim.

ALSO READ: CBSE Admits Answer Sheet Error, Sends Correct Copy After Student Trolled As ‘Pakistani’

The board said that the earlier reference contained a typographical error, where an extra “s” had been inadvertently included in the URL, and has now reissued the post with the corrected link.

“In the previous post, the URL had an extra ‘s’ inadvertently. So, the post has been reissued with the correct URL: http://cbse.onmark.co.in,” the board said.

CBSE Portal Link Shows ‘502 Bad Gateway’ Error

When checked, the latest link provided in the statement gave a “502 Bad Gateway” error.

Education Loan Information:
Calculate Education Loan EMI