Add advisory for boxlite (GHSA-g6ww-w5j2-r7x3 / CVE-2026-46695)

[DorianZheng]

Adds RustSec entries for two Critical sandbox-escape vulnerabilities in
the boxlite sandboxing runtime and
its CLI front-end boxlite-cli,
fixed in 0.9.0 (2026-05-03), publicly disclosed 2026-05-16.

Advisory	CVE	Crate(s)	Affected	Patched
GHSA-g6ww-w5j2-r7x3	CVE-2026-46695	boxlite, boxlite-cli	< 0.9.0	0.9.0
GHSA-f396-4rp4-7v2j	CVE-2026-46703	boxlite, boxlite-cli	< 0.9.0	0.9.0

The vulnerable code lives in the boxlite core crate; boxlite-cli
depends on it, so both are affected by both advisories. The upstream
advisories on GitHub include structured ecosystem rows for
pip / npm / go / rust (boxlite and boxlite-cli); this PR mirrors
that into the RustSec database so cargo audit users get the alert.

Filed by the boxlite maintainers post-disclosure per CONTRIBUTING.md
("The above steps can be skipped for advisories filed by crate
authors"). Happy to split into per-crate or per-advisory PRs if
reviewers prefer.

[djc]

This is okay, but the file names need to match the expected name (RUSTSEC-0000-0000.*).

[DorianZheng]

Thanks for the review @djc! Renamed all four files to the RUSTSEC-0000-NNNN.md placeholder pattern (unique within each crate directory — 0000/0001 per crate). Happy to split into per-advisory or per-crate PRs if you'd prefer the conventional one-advisory-per-PR shape.

[DorianZheng]

Split per your feedback: this PR now contains only GHSA-g6ww-w5j2-r7x3 (one advisory per crate directory, named RUSTSEC-0000-0000.md). The OCI symlink-escape advisory (GHSA-f396-4rp4-7v2j) moved to #2900.

[DorianZheng]

Pre-emptively applied the same two changes @djc requested on #2900 (which has identical structure):

1. Dropped crates/boxlite-cli/RUSTSEC-0000-0000.md — cargo audit reaches it via the dependency graph from the single boxlite entry.
2. Removed the redundant **Patched in:** / **Upgrade path:** lines — already in [versions] patched.