Our friends at DevExpress have been hard at work on the AJAX Control toolkit and have an update available that should be installed to cover a critical security vulnerability that has existed prior to the v15.1.x version.
Brian Cardinale discovered the security vulnerability, a directory traversal issue, and has a blog post describing the issue in more detail.
Download an installer for the latest version of the toolkit now.