The Central Board of Secondary Education (CBSE) on Tuesday issued a detailed clarification on its official X handle after facing widespread criticism over allegations that its On-Screen Marking (OSM) system had been compromised. The controversy began after a 19-year-old student, who identifies himself as "Nisarga" on social media, claimed that he had breached CBSE's On-Screen Marking system in February 2026. He further alleged that the portal bearing the URL cbse.onmark.co.in had been compromised by him on February 26, 2026.
CBSE's clarification
Responding to the claims, CBSE clarified that the portal cited in the social media post is not the actual evaluation platform used for marking answer sheets.
The Board stated that the URL cbse.onmark.co.in is a testing site used only for internal testing and review purposes, containing sample data and not any real examination-related data such as marks or evaluation records.
CBSE further said that the actual On-Screen Marking system used for evaluation operates on a different URL, which has not been compromised and does not contain the vulnerabilities mentioned in the viral social media post.
It also emphasised that no security breaches have been reported in the production environment used for official evaluation work. The Board added that the OSM system has been designed to enhance transparency in assessment processes and includes grievance redressal mechanisms along with security safeguards to maintain data integrity.
Student's counterclaims
Shortly after CBSE's clarification, the student "Nisarga" responded on X, disputing the Board's explanation and questioning how he was allegedly able to access what he described as "production data" on the same domain.
"Then how was I able to access production data on that site? All of the mirrors you had under the onmark domain had the same vulnerabilities. It's sad that you can't even investigate security reports properly," he wrote, sharing screenshots as supporting evidence.
In subsequent posts, the student shared a video claiming it demonstrated a security lapse that allegedly exposed a master password, which he said could allow unauthorised access to systems containing production data.
He further claimed that he had reported the vulnerabilities earlier and alleged that most issues remained unpatched even after being flagged to CERT-In. He also cited archived versions of the portal and JavaScript files, claiming that the vulnerabilities were still present in the system code.
Tagging cybersecurity researcher Karan Saini, a hacker and alumnus of the Centre for Internet and Society, he alleged that the same master password appeared to be present across multiple subdomains under the onmark domain and said he was already in touch with CERT-In regarding the issue.
In a later post, he questioned CBSE's technical architecture, stating that all working subdomains under the onmark domain appeared to point to the same load balancer. He argued that this, in his view, raised questions about CBSE's claim that the test environment was separate from production systems.
Ongoing dispute
While CBSE has firmly denied any compromise of its operational evaluation systems, the student continues to maintain that vulnerabilities exist and have not been fully addressed. The claims and counterclaims have not been independently verified.
As of now, there has been no official response from CBSE addressing the student's latest allegations in detail.