Acme mini_httpd prior to 1.16 allows remote malicious users to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
acme mini httpd