Does not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
Does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
canonpath() has some logic in it that avoids collapsing a //double/slash at the beginning of a pathname on platforms where that means something special. It used to check the value of $^O rather than the classname it was called as, which meant that calling File::Spec::Cygwin->canonpath() didn't act like cygwin unless you were actually *on* cygwin. Now it does.
Fixed a major bug on Cygwin in which catdir() could sometimes create things that look like //network/paths in cases when it shouldn't (e.g. catdir("/", "foo", "bar")).