2.8.6 fixes two safety issues that may be exploited by registered, logged in customers who’ve posting privileges. You probably have untrusted authors in your weblog, upgrading to 2.8.6 is really helpful.
The primary drawback is an XSS vulnerability in Press This found by Benjamin Flesch. The second drawback, found by Dawid Golunski, is a matter with sanitizing uploaded file names that may be exploited in sure Apache configurations. Because of Benjamin and Dawid for locating and reporting these.