The Drupal team reports:
Vulnerability: XSS Vulnerability in taxonomy module
It is possible for a malicious user to insert and execute
XSS into terms, due to lack of validation on output of the
page title. The fix wraps the display of terms in
check_plain().