I don't think FindBin is at fault here.

I agree. $FindBin::RealBin is marked as tainted.

>perl -MScalar::Util=tainted -T -le"use FindBin; print tainted($FindBi
+n::RealBin) ?1:0"
1
[download]

use/require is not at fault either.

>perl -MScalar::Util=tainted -T -le"use FindBin; unshift @INC, $FindBi
+n::RealBin; require Module;"
Insecure dependency in require while running with -T switch at -e line
+ 1.
[download]

Perl did its due diligence. If you're going to blindly untaint the result ($path =~ /^(.+)$/;), it's your own coffin you're nailing.

rowdog is right too, though. If the modules or libraries you use are exploitable, there's a possibility that your code is too. For example, if there's a buffer overflow in the library DBD::mysql uses, even properly validated inputs could be used to exploit a vulnerability.