Revolving around the core of technology
The login form does not specify a method of POST and thus defaults to GET.
On login failure, the username and password are appended to the URL as GET parameters, exposing plaintext username and password to: browser history, webserver log, proxy server log, dns server log, etc.
Dima,
Thank you for letting us know about this. It will be fixed in the next update.