diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
new file mode 100644
index 00000000000..53e66a64f68
--- /dev/null
+++ b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
@@ -0,0 +1,12 @@
+edges
+| test.ps1:1:8:1:10 | x | test.ps1:3:28:3:48 | Get-Process -Id $x | provenance |  |
+| test.ps1:5:10:5:21 | Env:MY_VAR | test.ps1:7:3:7:20 | $code --enabled | provenance |  |
+nodes
+| test.ps1:1:8:1:10 | x | semmle.label | x |
+| test.ps1:3:28:3:48 | Get-Process -Id $x | semmle.label | Get-Process -Id $x |
+| test.ps1:5:10:5:21 | Env:MY_VAR | semmle.label | Env:MY_VAR |
+| test.ps1:7:3:7:20 | $code --enabled | semmle.label | $code --enabled |
+subpaths
+#select
+| test.ps1:3:28:3:48 | Get-Process -Id $x | test.ps1:1:8:1:10 | x | test.ps1:3:28:3:48 | Get-Process -Id $x | This command depends on a $@. | test.ps1:1:8:1:10 | x | user-provided value |
+| test.ps1:7:3:7:20 | $code --enabled | test.ps1:5:10:5:21 | Env:MY_VAR | test.ps1:7:3:7:20 | $code --enabled | This command depends on a $@. | test.ps1:5:10:5:21 | Env:MY_VAR | user-provided value |
diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.qlref b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.qlref
new file mode 100644
index 00000000000..06653bc5ac7
--- /dev/null
+++ b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.qlref
@@ -0,0 +1 @@
+queries/security/cwe-078/CommandInjection.ql
\ No newline at end of file
diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1 b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1
new file mode 100644
index 00000000000..682b1af3752
--- /dev/null
+++ b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1
@@ -0,0 +1,7 @@
+param ($x)
+
+Invoke-Expression -Command "Get-Process -Id $x" # BAD
+
+$code = "$Env:MY_VAR"
+
+& "$code --enabled" # BAD
\ No newline at end of file