2.8.6 fixes two safety issues that may be exploited by registered, logged in customers who’ve posting privileges. In case you have untrusted authors in your weblog, upgrading to 2.8.6 is really helpful.
The primary downside is an XSS vulnerability in Press This found by Benjamin Flesch. The second downside, found by Dawid Golunski, is a matter with sanitizing uploaded file names that may be exploited in sure Apache configurations. Due to Benjamin and Dawid for locating and reporting these.