The 'lighttpd' program is prone to a security-bypass vulnerability that occurs in the 'mod_userdir' module. Attackers can exploit this issue to bypass certain security restrictions and obtain sensitive information. This may lead to other attacks. Versions prior to 'lighttpd' 1.4.20 are vulnerable.
The vendor has released lighttpd 1.4.20 to address this issue. Please see the references for more information.