Someone probably just mixed up the hash keys for the password field and the hint field. The hint needs to be stored unencrypted so that it can be displayed.
Agree. It's probably an issue with the form, nothing underlying. (which means encrypted containers created via the command line should be safe from this vulnerability?)