WordPress 4.6.1 was made available yesterday. This security release is meant for all the previous versions of WordPress and the users are strongly advised to update their websites immediately.
The WordPress 4.6.1 security release addresses two security vulnerabilities. The first, reported by SumOfPwn researcher Cengiz Han Sahin is a cross-site scripting vulnerability via image filename; and the second, reported by Dominik Schilling from the WordPress security team, is a path traversal vulnerability in the upgrade package uploader.
Additionally, WordPress 4.6.1 fixes 15 bugs. The websites should update automatically since this is a security release. Alternatively, you can update manually by visiting the Updates option in your WordPress Dashboard and clicking the Update Now button.