WordPress 4.6.1 is available and users are strongly encouraged to update immediately as it patches two security vulnerabilities. The first is a cross-site scripting vulnerability related to image filenames that was reported by Cengiz Han Sahin, a SumOfPwn researcher. The second is a path traversal vulnerability in the upgrade package uploader reported by Dominik Schilling, who led the WordPress 4.6 development cycle and is a member of the WordPress security team.
In addition to the security patches, this release fixes 15 bugs. Since 4.6.1 is a point release, most sites should update automatically. However, if you’d like to update sooner, browse to your WordPress Dashboard and select Updates and click the update now button. Users who encounter any issues with or updating to WordPress 4.6.1 are encouraged to report them in the WordPress support forums.