Update NuGet and System.Security.Cryptography.Xml for CG alerts

[missymessa]

Summary

Bump vulnerable package versions to resolve Component Governance alerts from the April 2026 security patch wave.

Changes

Package	Old Version	New Version	Advisory
NuGet.Commands	7.0.1	7.0.3	GHSA-g4vj-cjjj-v7hg
NuGet.Frameworks	7.0.1	7.0.3	GHSA-g4vj-cjjj-v7hg
NuGet.Packaging	7.0.1	7.0.3	GHSA-g4vj-cjjj-v7hg
NuGet.ProjectModel	7.0.1	7.0.3	GHSA-g4vj-cjjj-v7hg
NuGet.Versioning	7.0.1	7.0.3	GHSA-g4vj-cjjj-v7hg
System.Security.Cryptography.Xml	10.0.3	10.0.6	CVE-2026-33116, CVE-2026-26171

CG Work Items Resolved

• AB#10471 - NuGet.Protocol 7.0.1 (GHSA-g4vj-cjjj-v7hg)
• AB#10437 - NuGet.Packaging 7.0.1 (GHSA-g4vj-cjjj-v7hg)
• AB#10438 - System.Security.Cryptography.Xml 10.0.3 (CVE-2026-33116)
• AB#10439 - System.Security.Cryptography.Xml 10.0.3 (CVE-2026-26171)
• AB#10472 - System.Security.Cryptography.Xml 9.0.0 (CVE-2026-33116) — resolved via transitive pinning
• AB#10473 - System.Security.Cryptography.Xml 9.0.0 (CVE-2026-26171) — resolved via transitive pinning

CG Work Items Not Addressed Here

• AB#10474, AB#10475, AB#10482 (.NET SDK security - 8.0/9.0/10.0): SDK versions in \�ng/common\ templates use \�ersion: X.0.x\ with rollforward, so patched SDKs (8.0.126, 9.0.116, 10.0.106) are picked up automatically.
• AB#10440, AB#10441, AB#10442 (NuGet 6.11.0/6.14.0): Transitive via the SDK; resolved when patched SDKs are used.
• AB#10247 (Microsoft.Guardian.Cli 0.109.0): Installed by the 1ES/Guardian pipeline task, not a repo dependency.

Notes

• NuGet 7.0.3 stays within the same patch band, respecting the existing constraint: Don't version higher than what's available in the toolset SDK.
• The \SystemSecurityCryptographyXmlPackageVersion\ in \Version.Details.props\ is normally managed by Maestro dependency flow from dotnet/runtime. The next flow will bring >= 10.0.6 since the fix is already published.