On 22 May, 19-year-old student Nisarga Adhikary wrote a blog post exposing vulnerabilities in the Central Board of Secondary Education’s (CBSE) On-Screen Marking (OSM) Portal, which is the board’s new digital system for examiners. In his blog post, Adhikary, an ethical hacker, explored the code of the portal and found multiple faults on the platform.
CBSE has recently moved to OSM for class 12 board examinations. This allows examiners to log onto an online portal where scanned copies of students‘ answer sheets are readily available and assigned to them for evaluation. This move was mainly to streamline the lengthy evaluation process.
Following Adhikary's revelations, through another blog post on 30 May 2026, 18-year-old student Sarthak Sidhant revealed how CBSE rewrote rules to favour a specific vendor- Coempt Edu Teck. The board requires a private vendor to build and host its On-Screen Marking system. Coempt Edu Teck is a Hyderabad based firm that was responsible for the infrastructure used for CBSE’s OSM system.
17-year-old student Vedant Srivastava was one of the multiple students who fell victim to this flawed system. On 23 May 2026, Srivastava shared a major discrepancy he discovered on his Physics mark-sheet on X. After applying to receive the photocopies of his answer sheets, he found out that the Physics answer sheet uploaded by CBSE was not his. His family later claimed that after sharing this, they were abused online, being labelled as “anti-national” and “Pakistani.”
Srivastava‘s experience with the vulnerabilities present in the OSM portal was not an exceptional case. As multiple students faced similar issues, some decided to take matters into their own hands.
What Nisarga Adhikary Uncovered About The System Through Hacking
For Nisarga, this story goes back to February of this year. Adhikary is a 19- year-old student and cybersecurity researcher who also gave his 12th board exams this year. He hacked the OSM platform on 25 February 2026 and immediately reported to CERT-In, which is the Indian Computer Emergency Response Team. What he saw as an interesting online domain led to several findings about faulty software on OSM.
In his blog post, Adhikary reveals multiple vulnerabilities that he found on the OSM portal. Firstly, the code script had a “hardcoded master password.” Adhikary explained that this leaves the students at risk as all an attacker would need is a target’s user ID and school code (which can be publicly found), and the master password which anyone can download. Being able to obtain both easily, Adhikary was able to log in as an examiner.
Adhikary also found issues surrounding a lack of password protection, bypassing OTP, and easily being able to act as an examiner, allowing an attacker to make edits freely.
All of this was promptly reported to CERT-In in February, to which Adhikary received one response saying that there would be a check up on this. However, after following up several times, Adhikary never heard back.
Since the publishing of this blog post, Adhikary claims that CBSE has denied all of these vulnerabilities. The CBSE has now said that they are “grateful” for pointing out such weaknesses.
What Sarthak Sidhant Discovered About How CBSE Rewrote Tender Rules To Favour Coempt Edu Teck
18-year-old Sarthak Sidhant, another student who gave his 12th board examinations this year, discovered that CBSE rewrote terms, rules, conditions, and clauses to favour their vendor Coempt Edu Teck, a company that has already been linked to the 2019 Telangana State Board Examination controversy.
In his blog post, Sidhant outlines that since CBSE is a public institution, it cannot choose the private vendor of its liking. Rather, it must invite competitive bids through issuing a public Request for Proposal (RFP).
While issuing the RFP, Sidhant found that the board had wiped out clauses pertaining to company history that would suggest not properly meeting contractual obligations, financial failures, or abandoning work. Additionally, the board dropped their Capability Maturity Model Integration (CMMI) levels from 5 to 3. CMMI levels measure the software engineering quality, hence a lower level implies more risk for sensitive student information. A decrease in scanner quality was also found.
Sidhant outlines how this is not just a coincidence. Due to lowered financial baselines and dropped security certifications, the board favoured a private vendor that has already been caught in an incident of false scanning.
CBSE has responded to the concerns raised by publicly stating that they have “deployed a team of cybersecurity professionals” who will look into the vulnerabilities of the OSM portal. The board also encouraged citizens to reach out in case of any other concerns.
Given the recent NEET examination leaks and technical glitches in the CUET examinations, students are raising concerns over the state of examinations across the country.