I have released thttpd 2.28 and mini_httpd 1.28. They both include a fix to a buffer overrun bug in htpasswd, reported by Alessio Santoru as CVE-2017-17663.
If you are just using htpasswd to set up your own web auth files locally, there is no security implication from this bug. On the other hand if you are giving remote users access to htpasswd, they could conceivably use the buffer overrun to accomplish remote code execution as the web server user.
There are also a couple other changes in these releases. In partcular, mini_httpd 1.28 includes some new code that should prevent connections from getting stuck in FIN_WAIT_2 state.