The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function.
NOTE: This release has an important incompatibility from the 4.0 release two days ago. The 'load_tmpl' hook which was just introduced has had it's interface changed. The change allows plug-in authors to affect the parameters passed to the 'new' constructor of the template object, instead of just adding parameters later.