I noticed yesterday that when you use access="private" in a CFC function, inherited CFC's also have access to this function. In object oriented languages such as Java, C++, or C# this type of access is known as "protected" access. This may be a bug in CFC's, or it may just be a bug in the documentation, which states "private: available only to the component that declares the method".
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.