The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function.
Documented existence of CGI::Application::Plugin::FillInForm.
path_info option to mode_param now supports negative index numbers to grab the run mode name from the other end of the PATH_INFO. (Thilo Planz)
Altered how "start_mode" default is set, allowing it to be set through the hook system in the 'init' phase. Existing applications should be unaffected.
Return value of run_modes() was documented.
Integrate more examples of using plugins into the documentation.
'error' hook was added, which is executed just before error_mode() might be called. An example use of this would be a logging plugin that wants to log that the application died. Although it's unlikely to change, it is marked as experimental for now.