The WordPress team is currently hard at work in completing version 2.9 but that doesn’t mean they’re going to allow their older versions to be open with vulnerabilities.
As a security release, WordPress releases version 2.8.6 which fixes two security problems that can be exploited by untrusted users in your blog who have posting privileges.
The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations.
Download version 2.8.6 from WordPress.org or you could just upgrade automatically through your blog’s WordPress Dashboard.