FC-Attack: Jailbreaking Multimodal Large Language Models via Auto-Generated Flowcharts (2025.findings-emnlp)
Copied to clipboard
| Challenge: | Recent research shows that multimodal large language models are vulnerable to jailbreak attacks . |
| Approach: | They propose a jailbreak attack method based on auto-generated flowcharts . the flowchartings are then combined with a benign textual prompt to execute the attack . |
| Outcome: | The proposed method achieves an attack success rate of up to 96% via images and 78% via videos across multiple MLLMs. |
Similar Papers
From LLMs to MLLMs: Exploring the Landscape of Multimodal Jailbreaking (2024.emnlp-main)
Copied to clipboard
| Challenge: | Recent advances in Large Language Models (LLMs) have demonstrated remarkable performance across various tasks, effectively following instructions to meet diverse user needs. |
| Approach: | They propose a framework for evaluation benchmarks and attack techniques for LLMs and MLLMs to enhance their security. |
| Outcome: | The proposed frameworks have been exploited to exploit the weaknesses of LLMs and MLLMs. |
Jailbreaking Multimodal Large Language Models using Multi-Clip Video (2026.acl-long)
Copied to clipboard
| Challenge: | Existing studies show that video inputs can bypass safety alignment, yet it remains unclear which properties of video input induce this vulnerability. |
| Approach: | They propose a simple image-based defense that mitigates the vulnerability of MLLMs by analyzing video inputs. |
| Outcome: | The proposed defense leverages the relative robustness of the image modality. |
Reference Attack: A New Cross-Modal Jailbreaking Attack against Multimodal Large Language Models (2026.acl-long)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have raised significant safety concerns about generated content, drawing attention from both academia and industry. |
| Approach: | They propose a reference-guided cross-modal jailbreak method that enhances existing prompt-to-image injection attacks by exploiting MLLMs’ semantic reconstruction capabilities. |
| Outcome: | The proposed method achieves an attack success rate of over 93% on leading MLLMs including ChatGPT, Gemini, Claude, and the widely used open-source LLaMA model. |
MLLM-Protector: Ensuring MLLM’s Safety without Hurting Performance (2024.emnlp-main)
Copied to clipboard
Renjie Pi, Tianyang Han, Jianshu Zhang, Yueqi Xie, Rui Pan, Qing Lian, Hanze Dong, Jipeng Zhang, Tong Zhang
| Challenge: | MLLMs are deployed on limited image-text pairs, which makes them more vulnerable to catastrophic forgetting of their original abilities during safety fine-tuning. |
| Approach: | They propose a plug-and-play strategy that detects harmful visual inputs and transforms harmful ones into harmless ones. |
| Outcome: | The proposed approach mitigates the risks posed by malicious visual inputs without compromising the original performance of MLLMs. |
A Comprehensive Study of Jailbreak Attack versus Defense for Large Language Models (2024.findings-acl)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have demonstrated capabilities for generating content that could be deemed harmful. |
| Approach: | They conduct a comprehensive analysis of existing studies on jailbreaking LLMs and their defense techniques. |
| Outcome: | The proposed techniques underperform existing white-box attacks and include special tokens significantly affects the likelihood of successful attacks. |
GAMBIT: A Gamified Jailbreak Framework for Multimodal Large Language Models (2026.acl-long)
Copied to clipboard
| Challenge: | Existing attacks focus on increasing the complexity of the modified visual task and do not explicitly leverage the model’s own reasoning incentives. |
| Approach: | They propose a framework that decomposes and reassembles harmful visual semantics and constructs a gamified scene that drives the model to explore, reconstruct intent and answer as part of winning the game. |
| Outcome: | Experiments on reasoning and non-reasoning MLLMs show that the proposed framework outperforms baseline models on both vision and text. |
Visual Contextual Attack: Jailbreaking MLLMs with Image-Driven Context Injection (2025.emnlp-main)
Copied to clipboard
| Challenge: | Recent studies have shown that visual encoders can induce harmful behavior in multimodal large language models. |
| Approach: | They propose a vision-centric jailbreak attack that uses visual information to create a jailbreak context. |
| Outcome: | The proposed attack outperforms baseline attacks on MM-SafetyBench and GPT-4o. |
Jailbreak Large Vision-Language Models Through Multi-Modal Linkage (2025.acl-long)
Copied to clipboard
| Challenge: | Existing methods to jailbreak large vision-language models fail against cutting-edge models such as GPT-4o, despite having undergone safety alignment training. |
| Approach: | They propose a new framework for jailbreaking large vision-language models that uses an encryption-decryption process to mitigate the over-exposure of harmful information. |
| Outcome: | The proposed framework jailbreaks GPT-4o with 99.40% success rates on SafeBench, 98.81% on MM-SafeBench and 99.07% on HADES-Dataset. |
\mathsf{Con Instruction}: Universal Jailbreaking of Multimodal Large Language Models via Non-Textual Modalities (2025.acl-long)
Copied to clipboard
| Challenge: | Existing attacks communicate instruction through text, accompanied by a toxic image or audio . a novel gray-box attack method generates adversarial images or audio to convey harmful instructions to MLLMs . |
| Approach: | They propose a gray-box attack method that generates adversarial images or audio to convey specific harmful instructions to MLLMs by following non-textual instruction. |
| Outcome: | The proposed method achieves highest success rates on visual and audio-language models . larger models are more susceptible toCon Instruction, compared to their underlying models - the results will be released . |
Rethinking Jailbreak Detection of Large Vision Language Models with Representational Contrastive Scoring (2026.acl-long)
Copied to clipboard
| Challenge: | Large Vision-Language Models (LVLMs) are vulnerable to a growing array of multimodal jailbreak attacks, necessitating a generalizable defense that is efficient for practical deployment. |
| Approach: | They propose a framework that uses a lightweight projection to separate benign and malicious inputs in safety-critical layers. |
| Outcome: | The proposed framework enables a simple yet powerful contrastive score that differentiates true malicious intent from mere distribution shift. |