When an application attempts to access a URL that uses a protocol that it does not understand, it may choose to pass the URL to a registered handler for that protocol. If that registered handler is Opera, it will be started, passing the URL to open.
Some external applications do not ensure that the URL they are passing is in a valid format for a URL, and may pass it without correct URL encoding.
Carefully constructed URLs may cause Opera to treat these incorrectly encoded URLs as command line parameters, which could then be exploited to run code of the attacker’s choice.
This vulnerability affects Opera for Microsoft Windows.
Opera Software has released Opera 9.51, where this issue has been fixed.
Thanks to Billy Rios for reporting this issue to Opera Software.