diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll
index 1d3683b75d2c..23e642a1822f 100644
--- a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll
+++ b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll
@@ -437,6 +437,10 @@ predicate neverSkipInPathGraph(Node n) {
   isReturned(n.(AstNode).getCfgNode())
   or
   n = any(SsaDefinitionNodeImpl def | not def.nodeIsHidden())
+  or
+  n.asExpr() instanceof CfgNodes::ExprNodes::ExpandableStringExprCfgNode
+  or
+  n.asExpr() instanceof CfgNodes::ExprNodes::ExpandableSubExprCfgNode
 }
 
 /** An SSA node. */
diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
index f5a0fe356c72..4a2e32fc5ce4 100644
--- a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
+++ b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
@@ -6,8 +6,9 @@ edges
 | test.ps1:27:11:27:20 | userinput | test.ps1:28:38:28:67 | Get-Process -Name $UserInput | provenance | Sink:MaD:106 |
 | test.ps1:33:11:33:20 | userinput | test.ps1:34:14:34:46 | public class Foo { $UserInput } | provenance |  |
 | test.ps1:39:11:39:20 | userinput | test.ps1:40:30:40:62 | public class Foo { $UserInput } | provenance |  |
-| test.ps1:45:11:45:20 | userinput | test.ps1:47:5:47:9 | code | provenance |  |
+| test.ps1:45:11:45:20 | userinput | test.ps1:47:13:47:45 | public class Foo { $UserInput } | provenance |  |
 | test.ps1:47:5:47:9 | code | test.ps1:48:30:48:34 | code | provenance |  |
+| test.ps1:47:13:47:45 | public class Foo { $UserInput } | test.ps1:47:5:47:9 | code | provenance |  |
 | test.ps1:73:11:73:20 | userinput | test.ps1:75:25:75:54 | Get-Process -Name $UserInput | provenance |  |
 | test.ps1:80:11:80:20 | userinput | test.ps1:82:16:82:45 | Get-Process -Name $UserInput | provenance |  |
 | test.ps1:87:11:87:20 | userinput | test.ps1:89:12:89:28 | ping $UserInput | provenance |  |
@@ -86,6 +87,7 @@ nodes
 | test.ps1:40:30:40:62 | public class Foo { $UserInput } | semmle.label | public class Foo { $UserInput } |
 | test.ps1:45:11:45:20 | userinput | semmle.label | userinput |
 | test.ps1:47:5:47:9 | code | semmle.label | code |
+| test.ps1:47:13:47:45 | public class Foo { $UserInput } | semmle.label | public class Foo { $UserInput } |
 | test.ps1:48:30:48:34 | code | semmle.label | code |
 | test.ps1:73:11:73:20 | userinput | semmle.label | userinput |
 | test.ps1:75:25:75:54 | Get-Process -Name $UserInput | semmle.label | Get-Process -Name $UserInput |
diff --git a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected
index bacce10af7ea..18ec593b3641 100644
--- a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected
+++ b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected
@@ -1,5 +1,5 @@
 edges
-| test.ps1:1:1:1:10 | userinput | test.ps1:4:1:4:6 | query | provenance |  |
+| test.ps1:1:1:1:10 | userinput | test.ps1:4:10:4:62 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance |  |
 | test.ps1:1:1:1:10 | userinput | test.ps1:8:1:8:6 | query | provenance |  |
 | test.ps1:1:1:1:10 | userinput | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance |  |
 | test.ps1:1:1:1:10 | userinput | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance |  |
@@ -7,16 +7,19 @@ edges
 | test.ps1:1:1:1:10 | userinput | test.ps1:128:28:128:37 | userinput | provenance |  |
 | test.ps1:1:14:1:45 | Call to read-host | test.ps1:1:1:1:10 | userinput | provenance | Src:MaD:0  |
 | test.ps1:4:1:4:6 | query | test.ps1:5:72:5:77 | query | provenance |  |
+| test.ps1:4:10:4:62 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:4:1:4:6 | query | provenance |  |
 | test.ps1:8:1:8:6 | query | test.ps1:9:72:9:77 | query | provenance |  |
 | test.ps1:72:1:72:11 | QueryConn2 [element Query] | test.ps1:81:15:81:25 | QueryConn2 | provenance |  |
 | test.ps1:72:15:79:1 | ${...} [element Query] | test.ps1:72:1:72:11 | QueryConn2 [element Query] | provenance |  |
 | test.ps1:78:13:78:59 | SELECT * FROM Customers WHERE id = $userinput | test.ps1:72:15:79:1 | ${...} [element Query] | provenance |  |
-| test.ps1:121:9:121:56 | unvalidated | test.ps1:125:92:125:143 | SELECT * FROM Customers where id = $($unvalidated) | provenance |  |
+| test.ps1:121:9:121:56 | unvalidated | test.ps1:125:128:125:142 | $(...) | provenance |  |
+| test.ps1:125:128:125:142 | $(...) | test.ps1:125:92:125:143 | SELECT * FROM Customers where id = $($unvalidated) | provenance |  |
 | test.ps1:128:28:128:37 | userinput | test.ps1:121:9:121:56 | unvalidated | provenance |  |
 nodes
 | test.ps1:1:1:1:10 | userinput | semmle.label | userinput |
 | test.ps1:1:14:1:45 | Call to read-host | semmle.label | Call to read-host |
 | test.ps1:4:1:4:6 | query | semmle.label | query |
+| test.ps1:4:10:4:62 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | semmle.label | SELECT * FROM MyTable WHERE MyColumn = '$userinput' |
 | test.ps1:5:72:5:77 | query | semmle.label | query |
 | test.ps1:8:1:8:6 | query | semmle.label | query |
 | test.ps1:9:72:9:77 | query | semmle.label | query |
@@ -28,6 +31,7 @@ nodes
 | test.ps1:81:15:81:25 | QueryConn2 | semmle.label | QueryConn2 |
 | test.ps1:121:9:121:56 | unvalidated | semmle.label | unvalidated |
 | test.ps1:125:92:125:143 | SELECT * FROM Customers where id = $($unvalidated) | semmle.label | SELECT * FROM Customers where id = $($unvalidated) |
+| test.ps1:125:128:125:142 | $(...) | semmle.label | $(...) |
 | test.ps1:128:28:128:37 | userinput | semmle.label | userinput |
 subpaths
 #select