Thttpd v2.2.1 through 2.23b1 contain a remotely exploitable buffer overflow in defang() which can allow remote code execution. Fix available here.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/31927/thttpd.2.2.3.txt
Source: https://packetstormsecurity.com/files/31927/thttpd.2.2.3.txt.html