Shopware prior to 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
shopware shopware