This week, Core Security Technologies issued a security advisory regarding a vulnerability in Microsoft Virtual PC/Windows Virtual PC. The latter is the technology used for XP Mode in Windows 7. Hyper-V is not affected.
The Windows Security Blog explains that this is not a vulnerability in itself but rather a means by which an attacker can exploit security vulnerabilities already existing on a system that's running in a virtual environment. Only the guest operating system is affected (not the host OS). This means if you're using XP Mode, the risk is to the XP OS in the VM only, not to the Windows 7 machine on which it's running. Read more about it here: