An issue discovered in Pfsense CE version 2.6.0 allows malicious users to change the password of any user without verification.
pfsense pfsense 2.6.0