diff --git a/CHANGELOG.md b/CHANGELOG.md
index 809d3f5c..a64cabe9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+
+### 🔐 Security
+
+Bump Lucee build dependency to `6.0.0.585` to avoid [vulnerable dependencies in []`org.apache.commons:commons-compress`](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-6254296), [`com.github.mwiede:jsch`](https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBMWIEDE-6130900), and [`org.apache.commons:commons-compress`](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-6254297). NOTE: None of these vulnerabilities are realized in the Ortus ORM Extension, since we do not ship any Lucee code.
+
 ## [6.5.1] - 2024-02-20
 
 ### 🐛 Fixed
diff --git a/pom.xml b/pom.xml
index ea53e937..06b81c43 100644
--- a/pom.xml
+++ b/pom.xml
@@ -307,7 +307,7 @@ lucee-core-version: ${minLuceeVersion}
 		<dependency>
 			<groupId>org.lucee</groupId>
 			<artifactId>lucee</artifactId>
-			<version>5.4.4.38</version>
+			<version>6.0.0.585</version>
 			<!-- https://www.baeldung.com/maven-dependency-scopes#2-provided -->
 			<scope>provided</scope>
 		</dependency>