The Plone security team has released version 1.3 of the hotfix. You probably don't need to update. But if you have z3c forms that should pre fill inputs with data from a GET request, then the hotfix does not allow this. Version 1.3 offers a way around that. From the readme:
z3c.form and prefilling data
With this hotfix, we only use data from the request when the request method matches the form method. By default all forms are meant for POST requests, and in those we no longer allow prefilling data from a GET request. The same is true the other way around, we don't fill in data from POST requests in forms that expect a GET request, but that likely does not happen often.
If you have a form where this protection is not wanted, you can add an attribute allow_prefill_from_GET_request on the form and set it to a True value. If you want, you can import this attribute name from Products.PloneHotfix20160830.z3c_form.ALLOW_PREFILL. This attribute will likely be ported to the z3c.form package.
The attribute was introduced in version 1.3 of the hotfix.