The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function.
html_tmpl_class() now allows setting an an alternate HTML::Template class at a run time. This makes it easy to set the class to be 'HTML::Template::Dumper' for debugging. You can then see and precisely test the Perl data structure that would be sent your template, taking into account the template tokens that are actually set there. (Mark Stosberg)