Browser::Open tries to use the list form of system to spawn a browser. The problem is that start is a cmd command and not a real executable, so Perl has to fall back to using the shell to launch it - and it doesn't quote the command line correctly in process. This makes Browser::Open a shell injection on Windows.

A proper solution would be either to use Win32::ShellQuote or something similar to build a proper cmd.exe command line on Windows, use Perl version of ShellExecute from WinAPI (is there such a module?) or to fall back to launching browsers directly by their paths, which is not a good idea at all.