A form is identical to a URI or headers in terms of being an injection vector for user-supplied data. The general “don’t trust the client” rules apply as shown by the possibility of SQL injection, XSS, etc. So, forms that only rely on JavaScript validation without server-side validation are bad.

Problems more specific to forms include:

• Assuming type=hidden fields are not visible to or will not be manipulated by a user
• Not submitting sensitive data via HTTPS
• Incorrectly masking data (e.g. displaying last N digits of credit card to the user, but all digits are somewhere in the page anyway)
• For languages like PHP where GET and POST data can be accessed from different arrays, applying security checks to $_POST, but taking values from $_GET

Workflow or “business logic” problems aren’t specific to forms, but they apply more often to the functionality often handled with them:

• Inadequate workflow enforcement, such as form A must be filled out before form B, but the state transition is tracked on the client side rather than the server side. (A user can skip a step that shouldn’t be skipped.)
• Lack of rate limiting. This depends on context, e.g. hitting a form that sends emails to spams users or the ops team, repeatedly hitting an “apply discount” form to reduce a price, a search that requires full table scan might lead to a DoS.