I don't believe a CVE was requested for this issue. Looks like it requires a 2013 CVE. Copying-and-pasting from our bug [5]: It was reported [1],[2] that the CGI::Application perl module suffered from a flaw where, in certain cases, it would unexpectedly dump a complete set of web query data and server environment information as an error page. This could allow unintended disclosure of sensitive information. A suggested fix is available [3] and the commit that caused the problem [4] was most likely introduced in version 4.19. [1] https://rt.cpan.org/Public/Bug/Display.html?id=84403 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739505 [3] https://github.com/markstos/CGI--Application/pull/15 [4] https://github.com/markstos/CGI--Application/commit/61d327646f01fe [5] https://bugzilla.redhat.com/show_bug.cgi?id=1067180 This pull request resolves the issue raised in https://rt.cpan.org/Public/Bug/Display.html?id=84403 Application.pm A new runmode named no_runmodes is now called rather than dump_html when no run modes are specified. This returns a message to the user reporting the problem, without exposing anything which may raise security concerns. The POD has been updated, asking the user to think about potential security issues when calling dump_html. basic.t/TestApp.pm Add tests for the new runmode load_tmpl_hook.t Test required an update as it was dependant on Application.pm returning the output of dump_html In addition to the changes above, some very minor changes to the indentation. If there are any issues please let me know. MartinMcGrath added some commits a month ago Martin McGrath Update Application.pm … dcadc36 Martin McGrath Update basic.t - … 08b75f1 Martin McGrath Update TestApp.pm - add runmode dump_htm … fe7e9bf Martin McGrath Update basic.t … b6058d9 Martin McGrath Update loat_tmpl_hook.t … 727bb70 Martin McGrath Update Build.PL … b913740 Martin McGrath Update Build.PL … c359b6b Martin McGrath Update basic.t b746df9 Martin McGrath Update Application.pm - Update POD, add warning … 7849b4c fionnb fionnb commented 10 hours ago I would like to STRONGLY endorse the application of this patch. I just was about to open an report for exactly this issue when I found it already addressed by Martin. The problem has been introduced with commit 61d3276 already but probably did not cause major hassle until it arrived in recent debian repos lately. The security implications of an unexpected and potentially uncontrollable var dump to the world are very serious. We also have lost quite some time trying to find out where this unexpected dump came from in the first place and how it was caused. As an added "bonus", the output of dump_html is not even a valid html page.