Small HTTP Server 2.03 and earlier allows remote attackers to cause a denial of service by repeatedly requesting a URL that references a directory that does not contain an index.html file, which consumes memory that is not released after the request is completed.

The aglimpse CGI program of the Glimpse package allows remote execution of arbitrary commands.

List of arbitrary files on Web host via nph-test-cgi script.