diff --git a/vcpkg.json b/vcpkg.json
index 3b99d98bee..f3d06c5d46 100644
--- a/vcpkg.json
+++ b/vcpkg.json
@@ -41,6 +41,11 @@
         "name": "physx",
         "version": "4.1.2#6",
         "$comment": "Upstream vcpkg updated to PhysX 5, which drops support for several target platforms. Stick with 4.1.2 for now."
+      },
+      {
+        "name": "liblzma",
+        "version": "5.4.4",
+        "$comment": "liblzma & xz were compromised upstream: CVE-2024-3094."
       }
     ],
     "features": {