Security researcher disclosed a suite of flaws in the CBSE Central Board of Secondary Education’s On‑Screen Marking portal, a web app used to grade millions of Class 12 papers. The Angular‑based system, built by Coempt EduTeck, exposed a hardcoded master password in its public JavaScript bundle, allowing anyone with a user ID and school code to bypass authentication entirely in real time.

The login flow also verifies the one‑time password on the client side, sending the OTP back in the server response and comparing it locally. Route guards are absent, so direct navigation to internal URLs succeeds after inserting fabricated tokens into localStorage. Additionally, the password‑change API ignores the old password, and every endpoint trusts the ValuatorID supplied by the browser, creating a systemic IDOR vulnerability significantly.

Combining these weaknesses lets an attacker log in as any examiner, reset their password without prior credentials, and edit marks across the board. The researcher reported the findings to CERT‑In on 25 February 2026, prompting a security advisory. The exposure threatens the integrity of national examinations and demonstrates the risks of client‑side security checks in education platforms for students.