I ran into some issues getting the Lucee Tomcat 8.5 service to start on with Java 10.0.2 on a Windows 2016 Server. I was getting errors in the commons-daemon log file like: CreateJavaVM Failed CreateJavaVM Failed The system cannot find the file specified.

Due to the recent security vulnerability ABSP15-20 / APSB15-21 in BlazeDS there has been increased interest in disabling flash remoting when not needed -- if you followed the lockdown guide for CF9, CF10, or CF11 you should already have it disabled.

Here is an interesting vulnerability that I have come across several times in real CFML code during code reviews, I have spoken about it at conferences but have never written about it. Since it doesn't really have a name, I call it Scope Injection, you'll see why in a minute.