attack arXiv Mar 23, 2026 · 14d ago
Rui Yang Tan, Yujia Hu, Roy Ka-Wei Lee · Singapore University of Technology and Design
Comic-based jailbreak attacks on vision-language models achieve 90%+ success by embedding harmful prompts in three-panel visual narratives
Input Manipulation Attack Prompt Injection multimodalvisionnlp
Multimodal Large Language Models (MLLMs) extend text-only LLMs with visual reasoning, but also introduce new safety failure modes under visually grounded instructions. We study comic-template jailbreaks that embed harmful goals inside simple three-panel visual narratives and prompt the model to role-play and "complete the comic." Building on JailbreakBench and JailbreakV, we introduce ComicJailbreak, a comic-based jailbreak benchmark with 1,167 attack instances spanning 10 harm categories and 5 task setups. Across 15 state-of-the-art MLLMs (six commercial and nine open-source), comic-based attacks achieve success rates comparable to strong rule-based jailbreaks and substantially outperform plain-text and random-image baselines, with ensemble success rates exceeding 90% on several commercial models. Then, with the existing defense methodologies, we show that these methods are effective against the harmful comics, they will induce a high refusal rate when prompted with benign prompts. Finally, using automatic judging and targeted human evaluation, we show that current safety evaluators can be unreliable on sensitive but non-harmful content. Our findings highlight the need for safety alignment robust to narrative-driven multimodal jailbreaks.
vlm multimodal llm Singapore University of Technology and Design
benchmark arXiv Sep 18, 2025 · Sep 2025
Yujia Hu, Ming Shan Hee, Preslav Nakov et al. · Singapore University of Technology and Design · Mohamed bin Zayed University of Artificial Intelligence
Benchmarks multilingual LLM safety guardrails via red-teaming across Singlish, Chinese, Malay, and Tamil toxic prompts
Prompt Injection nlp
The advancement of Large Language Models (LLMs) has transformed natural language processing; however, their safety mechanisms remain under-explored in low-resource, multilingual settings. Here, we aim to bridge this gap. In particular, we introduce \textsf{SGToxicGuard}, a novel dataset and evaluation framework for benchmarking LLM safety in Singapore's diverse linguistic context, including Singlish, Chinese, Malay, and Tamil. SGToxicGuard adopts a red-teaming approach to systematically probe LLM vulnerabilities in three real-world scenarios: \textit{conversation}, \textit{question-answering}, and \textit{content composition}. We conduct extensive experiments with state-of-the-art multilingual LLMs, and the results uncover critical gaps in their safety guardrails. By offering actionable insights into cultural sensitivity and toxicity mitigation, we lay the foundation for safer and more inclusive AI systems in linguistically diverse environments.\footnote{Link to the dataset: https://github.com/Social-AI-Studio/SGToxicGuard.} \textcolor{red}{Disclaimer: This paper contains sensitive content that may be disturbing to some readers.}
llm Singapore University of Technology and Design · Mohamed bin Zayed University of Artificial Intelligence
ML Security Papers