From the announcement post, this maintenance release addresses 13 bugs with version 3.6.
Additionally: Version 3.6.1 fixes three security issues:
Remote Code Execution: Block unsafe PHP de-serialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem. CVE-2013-4338.
Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention. CVE-2013-4339.
Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij. CVE-2013-4340.
More information: http://codex.wordpress.org/Version_3.6.1