I haven’t seen a serious vulnerability in the JRE/JDK for a while, but I came across this one (via JavaWorld) which was discovered by an anonymous researcher working with the Zero Day Initiative. The vulnerability affects recent versions of the JDK and JRE (1.3, 1.4 and 1.5).
By loading a GIF image, and specifying a size of zero, a malicious applet can cause a buffer overflow and execute code remotely. Exploits are already publicly available.
Sunsolve has the instructions for how to address this issue.