According to Reddit user pyler2, there's a lock screen bug that's on his Nexus 5 running the Cataclysm ROM. Basically if you have a swipe pattern on your device, and you swipe the wrong pattern then press the back key, and then swipe to unlock, you can bypass the security feature. Many were thinking this was a CyanogenMod 12 bug, but it turns out it's part of AOSP, as it is present in a bunch of other devices running Android 5.0.1, even skinned versions of Android like what you have on the HTC One M8. However, it appears that it only happens with QQ Browser installed. I've tried it on my Nexus 6 running Android 5.1 and it's not present, until I install QQ Browser from the Play Store, then it is present. It does appear that other third-party apps can trigger the bug as well, but I haven't found any others, just yet.
There is a commit on CyanogenMod's Gerrit already for this. So we'll likely see this bug fixed in CyanogenMod-based ROMs, however, those running stock or even Lollipop from HTC and Samsung, it looks like you're still screwed a bit. As it is still present in Android 5.1 which just became official a few weeks ago. It appears that the newest nightlies (likely coming out tonight) should have the commit. Which means this bug shouldn't be plaguing CyanogenMod users anymore.
This is a pretty big lock-screen flaw in Android Lollipop, however many people probably won't know how about it, and that it exists. Hopefully Google pushes out Android 5.1.1 fairly soon and fixes it up. But for now, be sure to keep QQ Browser uninstalled, if you do use it for browsing. It's the easiest way to avoid the bug, at least for now. The entry on CyanogenMod's Gerrit does say that other third party apps can trigger the bug, but so far it's just QQ Browser that we've found. So just be careful.
Bugs like these are pretty common actually. Just about every Android release, we see a pretty big bug surface. It may not be on the lock screen, but there's usually a bug that threatens the security of your device.