Oracle has just released Java SE versions 8u111 and 8u112, which are available from its SE Downloads page.

These fix 9 bugs and 7 security vulnerabilities. All the vulnerabilities are remotely exploitable without authentication, and 4 of them have high base scores, i.e. they are critical. Updating is thus highly recommended, and should be performed as soon as possible.

However, Oracle warns that there is a remaining issue with version 8u111 in macOS 10.12 Sierra: if a user presses modifier keys such as Command, Shift, or Option while an applet is running in a browser, an Internal Error may be displayed, and the ‘exec’ icon will show in the Dock. Oracle advises Sierra users to install and use version 8u112 instead, as it should not suffer from this.