The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function.
The param() method has been extended to allow multiple parameters to be set at one time, via a hash (or hashref).
Fixed bug in run() method where a null-string run-mode would be considered valid. A zero-length run-mode will now result in the start_mode() being called. (Thanks to Mark Stosberg for the two preceding ideas!)
The run_mode() method now may be called a subsequent time to amend the list of run-modes.