diff --git a/javascript/ql/src/semmle/javascript/frameworks/Vue.qll b/javascript/ql/src/semmle/javascript/frameworks/Vue.qll
index 4a624e088bb..0ee4e765e72 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Vue.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Vue.qll
@@ -3,7 +3,6 @@
  */
 
 import javascript
-import semmle.javascript.security.dataflow.DomBasedXss
 
 module Vue {
   /**
@@ -372,5 +371,4 @@ module Vue {
    * A `.vue` file.
    */
   class VueFile extends File { VueFile() { getExtension() = "vue" } }
-
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
index 8b271d56767..1ee33c13a8f 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
@@ -188,4 +188,26 @@ module DomBasedXss {
 
     override string getVulnerabilityKind() { result = "HTML injection" }
   }
+
+
+  /**
+   * A write to the `template` option of a Vue instance, viewed as an XSS sink.
+   */
+  class VueTemplateSink extends DomBasedXss::Sink {
+    VueTemplateSink() { this = any(Vue::Instance i).getTemplate() }
+  }
+
+  /**
+   * The tag name argument to the `createElement` parameter of the
+   * `render` method of a Vue instance, viewed as an XSS sink.
+   */
+  class VueCreateElementSink extends DomBasedXss::Sink {
+    VueCreateElementSink() {
+      exists(Vue::Instance i, DataFlow::FunctionNode f |
+        f.flowsTo(i.getRender()) and
+        this = f.getParameter(0).getACall().getArgument(0)
+      )
+    }
+  }
+
 }
diff --git a/javascript/ql/test/library-tests/frameworks/Vue/XssSink.expected b/javascript/ql/test/library-tests/frameworks/Vue/XssSink.expected
new file mode 100644
index 00000000000..47b65459c89
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Vue/XssSink.expected
@@ -0,0 +1,2 @@
+| tst.js:5:13:5:13 | a |
+| tst.js:38:12:38:17 | danger |
diff --git a/javascript/ql/test/library-tests/frameworks/Vue/XssSink.ql b/javascript/ql/test/library-tests/frameworks/Vue/XssSink.ql
new file mode 100644
index 00000000000..5862d7b62c0
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Vue/XssSink.ql
@@ -0,0 +1,4 @@
+import javascript
+import semmle.javascript.security.dataflow.DomBasedXss
+
+select any(DomBasedXss::Sink s)