Well, fuuuuck.
Twitter thread here:
Not a huge deal as you need a local account to find the encrypted passwords in the first place, unless you put them in a reg file indexed by Google like the 4 results he posted about. Remote exploits are much more impactful.
Fun story about how he found it, though.