A security researcher has exposed five critical vulnerabilities in India's Central Board of Secondary Education digital examination platform, potentially compromising the academic futures of millions of students across the country's 28,000 affiliated schools.

The flaws, discovered by researcher Nisarga and reported to India's Computer Emergency Response Team in February 2026, range from hardcoded passwords in publicly accessible code to authentication systems that could be bypassed with basic browser manipulation.

"An attacker can set `ValuatorID` to any victim and reset their password to one you control. That's a complete account takeover," the researcher explained in a detailed technical disclosure.

A billion people aren't a statistic - they're a billion stories. For students like Vedant, a Class XII student in Delhi who recently alleged his answer sheet was mixed up, these vulnerabilities represent more than technical failures - they're threats to years of hard work and future opportunities.

The most alarming flaw involves a master password embedded in plaintext within the platform's JavaScript code, accessible to anyone with basic web development knowledge. The system also transmitted one-time password codes within authentication responses, allowing browsers to validate their own security checks and defeating the entire purpose of two-factor authentication.

Additionally, the Angular application lacked proper authentication controls on internal routes, making supposedly secure pages directly accessible through browser console manipulation. The password-reset system never verified users' current passwords before accepting new ones.

Most critically, the architecture relied on user-supplied identifiers from browser storage rather than authenticated session data, creating what security experts call an "Insecure Direct Object Reference" vulnerability. This flaw allowed attackers to impersonate any examiner in the system.

With these vulnerabilities, bad actors could view assigned answer scripts and alter marks - directly compromising exam integrity at a national scale for India's most important standardized assessments.

The CBSE system serves millions of evaluations annually. In 2025 alone, over 20 million students appeared for Class X and XII examinations, with results determining university admissions and career paths across India.

Despite the severity of these findings, the researcher reported receiving only automated acknowledgments from CERT-In with no subsequent updates on remediation efforts. The disclosure comes amid growing concerns about India's digital governance infrastructure as the country accelerates its push toward e-governance and digital public services.

The revelations have sparked debate about whether India's rapid digitization is outpacing its cybersecurity capabilities. As one of the world's fastest-growing digital economies, the country faces mounting pressure to secure systems that affect hundreds of millions of citizens.

For parents and students across India, the discovery raises uncomfortable questions: How many other critical systems contain similar flaws? And how many students' futures have already been affected by compromised results?