diff --git a/core/src/main/cfml/context/admin/Application.cfc b/core/src/main/cfml/context/admin/Application.cfc
index 2e558c7abf..5fc3ab26cd 100644
--- a/core/src/main/cfml/context/admin/Application.cfc
+++ b/core/src/main/cfml/context/admin/Application.cfc
@@ -34,6 +34,9 @@ this.sessionCookie.path = getAppFolderPath();  // the admin is always in a folde
 this.tag.cookie.sameSite = "strict";
 this.tag.cookie.path = getAppFolderPath();
 this.tag.cookie.httpOnly = true; // prevent access to session cookies from javascript
+this.searchImplicitScopes = false;
+this.searchResults = false;
+this.security.limitEvaluation = true;
 
 this.xmlFeatures = {
 	externalGeneralEntities: false,
diff --git a/core/src/main/cfml/context/admin/web.cfm b/core/src/main/cfml/context/admin/web.cfm
index 0412cf36a9..75fd3f49dd 100755
--- a/core/src/main/cfml/context/admin/web.cfm
+++ b/core/src/main/cfml/context/admin/web.cfm
@@ -1,3 +1,25 @@
+<cfscript>
+	q = queryNew("id");
+	queryAddRow(q);
+	querySetCell(q, "id", "ooops");
+	a = getapplicationsettings();
+	dump(a);
+	for (aa in a){
+		if (isSimpleValue(aa) && aa contains "search")
+			dump(var=a[aa], label=aa);
+	}
+	loop query="q" {
+		systemOutput("this should crash", true); 
+		systemOutput(id, true); //unscoped, as this.searchResults = false;
+		echo(id);
+	}
+
+	//echo(cgi.remote_Address);
+	//	echo(remote_Address); // unscoped should crash
+
+	url.test =1;
+	//echo(test); // unscoped should crash
+</cfscript>
 <cfscript>
 
 	request.singleMode=getApplicationSettings().singleContext;