A quote from the website:
A non-persistent XSS vulnerability has been discovered in the Orchard.Comments module that is distributed with the core distribution of the CMS. The module could in some circumstances let an external website render custom scripts on an Orchard website. This vulnerability might ultimately be used to gather your credentials if you further authenticate on the targeted Orchard website.
All released versions of Orchard are vulnerable and need to be patched immediately.
We are releasing today (April 30, 2013) a new version 1.6.1 of Orchard 1.6 that has the patch in place. This new version is replacing the previously available download. If you are downloading Orchard 1.6.1 today, you do not need to take any additional steps. The latest 1.x development branch is already patched as well. We are also releasing patch files for each version of Orchard from 1.0 to 1.6 that can be applied to existing web sites.
Great to see that security risks are getting patched immediately !
More information and download links at:
More information about Orchard CMS: