There are a couple of specific security issues to be concerned with while writing CGI programs. Both or neither may apply to any given CGI program, but both must be considered when writing a CGI program.
If form data is requested from the user, chances are that it will be processed and used by the program for internal purposes. The important thing to look for is that user-supplied data is not passed verbatim to any sort of execution call.
An execution call is something that will perform an effect on the system, such as starting a program [eg: 'exec(...)' in C/C++] or interpreting a statement in the programming language being used [eg: 'eval' in perl]. A malicious user may figure out what is going on, and a well-crafted string delivered through the HTML form may be inadvertently passed on to the execution call, which may then remove files from the system, give the malicious user access to the system, or any other number of nasty things.
This is especially an issue with perl. If the perl executable is available in the [oft-used] cgi-bin/ directory, then a user can get at the executable directly. Since perl has a command-line option to execute arbritary perl commands, this would allow a malicious user to execute any perl command, giving them a perfect opportunity to stage a [probably successful] attack on the machine in question.