If you running BlogEngine 3.0 and up, please update to version 3.1.1. This will install security patch against directory traversal vulnerability along with few improvements and bug fixes.
BackupPlease always backup your site before installing any updates. Worst case, you can restore to current version.
Auto UpdateFor v.3+ users, you should see "update available" message in the dashboard. It is better run and test update on local (DEV) instance and then FTP files to the host, specially for critical sites. Moving thousands files on busy site may end up in a lock. But if you must run live update and getting "file locked", it is ok to click "update" button again, this might fix an issue.
Manual UpdateRemember you can always download files and update manually, it is not hard. Basically you wipe out all except "/Custom" and "/App_Data" plus any custom files/folder you might have, then move new version in. Merging web.config is the only slightly tricky part - you might need take care of connection string and providers if you use database.
Older VersionsIf you run older version, you can try to use this simple extension which will do the job just fine. It may need an adjustment for very old version though. Save code below as "BlockTraversal.cs" and drop it to your site "/App_Code/Extensions" folder.
[Extension("Block Directory Traversal", "1.0", "BlogEngine.NET")]
public class BlockTraversal
ImageHandler.Serving += Serving;
FileHandler.Serving += Serving;
void Serving(object sender, System.EventArgs e)