diff --git a/core/src/main/cfml/context/admin/Application.cfc b/core/src/main/cfml/context/admin/Application.cfc
index 2e558c7abf..5fc3ab26cd 100644
--- a/core/src/main/cfml/context/admin/Application.cfc
+++ b/core/src/main/cfml/context/admin/Application.cfc
@@ -34,6 +34,9 @@ this.sessionCookie.path = getAppFolderPath(); // the admin is always in a folde
this.tag.cookie.sameSite = "strict";
this.tag.cookie.path = getAppFolderPath();
this.tag.cookie.httpOnly = true; // prevent access to session cookies from javascript
+this.searchImplicitScopes = false;
+this.searchResults = false;
+this.security.limitEvaluation = true;
this.xmlFeatures = {
externalGeneralEntities: false,
diff --git a/core/src/main/cfml/context/admin/web.cfm b/core/src/main/cfml/context/admin/web.cfm
index 0412cf36a9..75fd3f49dd 100755
--- a/core/src/main/cfml/context/admin/web.cfm
+++ b/core/src/main/cfml/context/admin/web.cfm
@@ -1,3 +1,25 @@
+
+ q = queryNew("id");
+ queryAddRow(q);
+ querySetCell(q, "id", "ooops");
+ a = getapplicationsettings();
+ dump(a);
+ for (aa in a){
+ if (isSimpleValue(aa) && aa contains "search")
+ dump(var=a[aa], label=aa);
+ }
+ loop query="q" {
+ systemOutput("this should crash", true);
+ systemOutput(id, true); //unscoped, as this.searchResults = false;
+ echo(id);
+ }
+
+ //echo(cgi.remote_Address);
+ // echo(remote_Address); // unscoped should crash
+
+ url.test =1;
+ //echo(test); // unscoped should crash
+
request.singleMode=getApplicationSettings().singleContext;