Magento have released a new patch for Magento Commerce 220.127.116.11 and Open Source 18.104.22.168.
SUPEE-10266 is a very important security patch that includes protection against several security-related issues, which include;
Closes cross-site request forgery (CSRF)
Solves unauthorized data leak
Closes authenticated Admin user remote code execution vulnerabilities.
Includes fixes for issues with image reloading and payments using one-step checkout.
Includes a fix for issues related to checkout with a zero order amount on Magento Commerce (Enterprise Edition).
You can read more on the full specs of the patch here via the Magento Technical Resources Centre.
What you need to do
You must apply this new security patch as soon as possible. It can be downloaded from https://www.magentocommerce.com/download
If your current development partner or inhouse development team hasn't already got this on their backlog we would recommend prioritising this task as soon as possible.