The PolyShell campaign (Adobe bulletin APSB26-05) is actively mass-exploiting Magento Open Source 2 and Adobe Commerce with an attack chain spanning unrestricted file upload, code injection, and XSS; approximately 56.7% of vulnerable storefronts have reportedly been compromised since March 19, 2026, with a WebRTC-based payment card skimmer deployed that bypasses standard Content Security Policy controls. No stable-branch patch is available as of disclosure — only Magento 2.4.9-beta1 — creating a difficult production patching decision with immediate PCI DSS implications. Organizations should implement WAF-based compensating controls for file upload endpoints, audit JavaScript on checkout pages against a known-good baseline, and review CSP rules to explicitly restrict WebRTC connections while tracking NVD and CISA KEV for CVE assignment.