qDecoder before 12.1.0 does not ensure that the percent character is followed by two hex digits for URL decoding.

Buffer overflow in qDecoder library 5.08 and earlier, as used in CrazyWWWBoard, CrazySearch, and other CGI programs, allows remote attackers to execute arbitrary commands via a long MIME Content-Type header.