You can now download Dotclear 2.6.3. This maintenance release includes fixes for two potential security defaults on XML-RPC authentification and on category ordering. Many thanks to Egidio Romano for his advices about them.
He also warned us on the possibility to send PHP scripts into the media folder and to get them executed from there. Dotclear cannot entirely protect against this kind of defect and you should ensure to not leave such files in your medias, or if it's necessary, to make sure that they are not executable. In order to do so, a few methods exist and rely essentially on the web host and the sofware used for the server.
For Apache in example, a .htaccess file located in the public folder and including the following directive allows to avoid the issue:
php_flag engine off
Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.