Who Is Nisarga Adhikary? 19-Year-Old Cyber Researcher Claims He Hacked CBSE Marking Portal, Warned Board Earlier

At a time when many CBSE students are already dealing with revaluation portal crashes, complaints about blurred answer sheets, repeated deadline extensions and reports of incorrect marks, a fresh controversy has emerged over the security of the board’s digital evaluation infrastructure. The issue gained traction after tech entrepreneur Deedy Das highlighted a months-old cybersecurity disclosure involving CBSE. The disclosure was made by 19-year-old cybersecurity researcher Nisarga Adhikary, who claims he discovered several serious vulnerabilities in the board’s On-Screen Marking (OSM) portal and reported them to the Indian Computer Emergency Response Team (CERT-In) in February.

Researcher Says He Found Multiple Critical Vulnerabilities

In a blog post published on his website and shared on X on May 22, Nisarga detailed a series of alleged security flaws in the OSM platform, which is used by evaluators to assess scanned board examination answer sheets digitally.

According to him, several of the vulnerabilities remained unresolved for months despite being reported. The claims drew wider attention on May 26 when Deedy Das described the alleged issues as “an absolute embarrassment” and suggested they could have allowed unauthorized access to student marks.

CBSE has not publicly confirmed the allegations or stated whether any student records were compromised.

How Nisarga Says He Accessed the System

Nisarga explained that his investigation began after noticing that the OSM portal link was publicly accessible. While examining the platform’s backend requests, he claimed to have identified weaknesses in the authentication process.

According to the blog, the login system required a user ID, school code, password and OTP verification. However, Nisarga alleged that the actual security issues became visible only after examining the underlying code rather than the login interface itself.

Allegations Of Password And OTP Security Weaknesses

One of the most significant claims involved what Nisarga described as a hardcoded “master password” allegedly present in a publicly accessible JavaScript file.

He alleged that the password was directly visible in the client side code and it is possible for users to bypass OTP based login. Furthermore, he claimed that it was a public third party accessible flaw to retrieve user ids and school codes which made examiner accounts insecure.

The researcher also alleged that the OTP verification mechanism was incorrectly implemented. He stated OTP is returned in the server response itself and verified through the code executed on browser side.

Nisarga alleged such a design would let an attacker bypass verification.

Other Security Concerns Highlighted

The blog claimed the vulnerabilities were beyond authentication mechanisms.

Nisarga alleged that there were several internal areas of the application not protected by routes and could be accessed by modifying values in browser storage. He also claimed that the password reset process did not verify existing passwords before allowing changes.

According to the researcher, when combined with what he described as insecure direct object reference (IDOR) vulnerabilities, these weaknesses could potentially enable account takeovers without requiring legitimate credentials. A major focus of the controversy is the timeline of the disclosure.

Nisarga says he informed CERT-In immediately after discovering the vulnerabilities in February. According to his account, he submitted detailed reports, responded to requests for additional information and provided demonstration videos explaining the alleged flaws.

Moreover, he says he later received an acknowledgement from CERT-In confirming that the report had been registered. But he says that repeated follow-ups did not secure any additional information about remediation.

Deedy Das Draws Attention To The Disclosure

Despite being shared among the cybersecurity communities for months, the findings had gone to the mainstream after Deedy Das publicly highlighted the disclosure on X.

Das had earlier reported a similar, though not as severe-edged, security problem that involved education earlier and had added that such breaches are potentially dangerous for students and examinations.

The comment drew wide attention online with commenters raising concerns about the security practises of educational systems and breach disclosures.

Why The Allegations Sent Shockwaves

This is a sensitive period for CBSE as the examination system is instrumental to millions of students in India and abroad. To students, examination marks determine the admissions to colleges and the awards of scholarships and numerous career opportunities. Owing to this, any such allegations about the assessment systems naturally gather public attention.

In the same time, certain commenters and cyber-security experts have urged for caution, noting that the allegations have not yet been independently validated in the public domain by the CBSE.

CBSE Yet To Respond Publicly

As of now, CBSE has not issued a public response confirming or disputing the allegations outlined in Nisarga’s blog. There is also no public evidence suggesting that student marks were altered or that the vulnerabilities were exploited.

READ MORE: DHSE Kerala Plus 2 Result 2026 Toppers List: Highest Scorers, Pass Percentage and Merit List