Beyond Visual Safety: Jailbreaking Multimodal Large Language Models for Harmful Image Generation via Semantic-Agnostic Inputs

Beyond Visual Safety: Jailbreaking Multimodal Large Language Models for Harmful Image Generation via Semantic-Agnostic Inputs Mingyu Yu 1 2 Lana Liu 1 2 Zhehao Zhao 1 2 Wei Wang 2 Sujuan Qin 1 2 Abstract The rapid advancement of Multimodal Large Lan- guage Models (MLLMs) has introduced complex security challenges, particularly at the intersec- tion of textual and visual safety. While existing schemes have explored the security vulnerabil- ities of MLLMs, the investigation into their vi- sual safety boundaries remains insufficient. In this paper, we propose Beyond Visual Safety (BVS), a novel image-text pair jailbreaking frame- work specifically designed to probe the visual safety boundaries of MLLMs. BVS employs a ”reconstruction-then-generation” strategy, lever- aging neutralized visual splicing and inductive recomposition to decouple malicious intent from raw inputs, thereby leading MLLMs to be induced into generating harmful images. Experimental re- sults demonstrate that BVS achieves a remarkable jailbreak success rate of 98.21% against GPT-5 (12 January 2026 release). Our findings expose critical vulnerabilities in the visual safety align- ment of current MLLMs. Our code and bench- mark is publicly available. 1 1. Introduction The rapid evolution of Multimodal Large Language Models (MLLMs) (OpenAI, 2023; Hurst et al., 2024; Team et al., 2023) has introduced significant security risks. Despite their versatility, the integrated multi-modal nature expands the attack surface (Jiang et al., 2025; Peng et al., 2024), posing substantial challenges to the safety of the generated multimodal content. Early research on LLM jailbreaking has transitioned from 1 State Key Laboratory of Networking and Switching Technol- ogy, Beijing University of Posts and Telecommunications, Beijing, China 2 School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, China. Correspondence to: Su- juan Qin <qsujuan@bupt.edu.cn>. Preprint. January 23, 2026. 1 https://github.com/Steganographyer/ JailBreak_MLLM manual prompt engineering (Li et al., 2023a; Liu et al., 2023) to automated frameworks leveraging evolutionary strategies (Yu et al., 2023), gradient optimizations (Zou et al., 2023), and structured red-teaming (Deng et al., 2023; Mehrotra et al., 2024). However, these methods often over- look underlying safety mechanisms, leading to limited ex- ploration of LLMs’ safety boundaries. Recent advancements further exploit vulnerabilities in prompt structures and model comprehension capabilities for jailbreaking (Zhang et al., 2023; 2024). Various method- ologies have been proposed to exploit these gaps, such as iterative rewriting (Ding et al., 2024), code encryption (Lv et al., 2024), multilingual misalignment (Yuan et al., 2024), and inference pattern analysis (Deng et al., 2024; Zhao et al., 2025a; Chao et al., 2025). Additionally, techniques manipu- lating semantic continuity (Liu et al., 2025; Li et al., 2023b; Ramesh et al., 2024) and adaptive strategies leveraging se- mantic understanding (Yu et al., 2025) have achieved high success rates. These findings indicate that jailbreaking can be achieved by perturbing prompts to increase the model’s difficulty in comprehending safety-aligned tasks. However, these works focus exclusively on jailbreaking the textual modality of LLMs. Previous jailbreaking schemes for LLMs primarily focused on how to bypass linguistic safety defense mechanisms. However, MLLMs implement safety defense mechanisms not only against harmful semantics in textual inputs but also against those within visual inputs. To this end, many existing methods, such as Yang et al. (2025); Jeong et al. (2025); Zhao et al. (2025b); Ma et al. (2025), explore how to simultaneously bypass both textual and visual safety de- fense mechanisms through image-text pairs. These methods aim to jailbreak MLLMs to output harmful text, yet they do not attempt to generate harmful images. Conversely, jailbreaking schemes that rely on a single textual modal- ity to generate harmful images (Huang et al., 2025; Wang et al., 2025) often exhibit limited effectiveness due to their reliance on only one modality. Previous research has primarily focused on the safety bound- aries of text generation in MLLMs or relied on a single tex- tual modality to investigate the safety boundaries of image generation. Consequently, the exploration of visual safety 1 arXiv:2601.15698v1 [cs.CV] 22 Jan 2026 Beyond Visual Safety: Jailbreaking MLLMs via Semantic-Agnostic Inputs boundaries in MLLMs remains insufficient. To address these issues, we propose Beyond Visual Safety (BVS), an image-text pair jailbreaking framework designed to explore the safety boundaries of MLLM image generation. BVS achieves a breakthrough by utilizing neutralized visual splic- ing and inductive recomposition. This work provides a more rigorous evaluation of the visual safety of MLLMs. The primary contributions of this paper are summarized as follows: •We propose a novel image-text pair jailbreaking frame- work, BVS, which investigates the visual safety bound- aries of MLLMs. •We establish a rigorous benchmark dataset specifically de- signed for evaluating the visual safety of MLLMs. Exper- imental results demonstrate that our framework achieves a 98.21% jailbreak success rate against the GPT-5 (12 January 2026 release), revealing critical vulnerabilities in current multimodal safety alignment mechanisms. 2. Related Work Previous research has achieved significant breakthroughs in exploring the security vulnerabilities of MLLMs. Specif- ically, confusion-based schemes such as CodeChameleon (Lv et al., 2024), FlipAttack (Liu et al., 2025), and AJF (Yu et al., 2025) have demonstrated that MLLMs exhibit poor defensive performance against disordered or obfuscated tex- tual content, which hinders the model’s ability to perform standard semantic alignment. Regarding the multimodal context, Zhao et al. (2025b) iden- tified that the simultaneous use of shuffled images and per- turbed text can effectively compromise MLLMs. Their work reveals that even when both modalities contain prohibited content, the model may fail to refuse the query because the disordered input prevents the activation of safety guardrails. Furthermore, regarding image-based jailbreaking, Yang et al. (2025) derived a critical conclusion: when processing a composite image comprising multiple sub-images with large semantic distances, MLLMs tend to overlook the harmful in- formation embedded within. This suggests that the model’s internal attention is dispersed by the semantic incoherence of the input. In summary, disordered inputs and large-semantic-distance interference have proven effective in evading the safety fil- ters of MLLMs for text generation. However, whether the synergy of image shuffling and semantic distance optimiza- tion can specifically bypass the safety scrutiny governing visual content generation remains an underexplored chal- lenge, which constitutes the focus of this study. 3. Methodology Previous research exhibits limitations in exploring the safety boundaries of MLLMs regarding the generation of harmful images. In contrast, BVS leverages semantically neutralized images paired with benign prompts to jailbreak MLLMs, ef- fectively concealing the underlying malicious intent. During the MLLM’s processing of this multimodal pair, the latent harmful intent is manifested, thereby inducing the model to generate harmful images. 3.1. Overall Workflow of BVS The process of employing BVS to jailbreak MLLMs for the generation of harmful images consists of three stages, as illustrated in Figure 1. The first stage is Visual Guidance Generation, which produces a malicious inductive image. The second stage, Neutralized Visual Splicing, generates a semantically neutralized composite image. In the final stage, this composite image is paired with a specifically designed Chinese Inductive Prompt to execute the jailbreak. The detailed workflow is as follows: Visual Guidance Generation:The attacker first inputs a malicious prompt into a Visual Guidance Model (typically a text-to-image generative model). The model outputs an imageI A that corresponds to the semantics of the malicious prompt. Thus,I A serves as a visual representation of the harmful intent originally contained in the text. Neutralized Visual Splicing:We first curate a dataset de- noted as Neutralized Image Data, consisting of images with benign semantics designed to counteract the harmful nature ofI A . The neutralization process involves partitioningI A into four equal-sized patches, denoted asf i , i∈1, 2, 3, 4. These four patches are then randomly shuffled. Subse- quently, five images, denoted asn i , i ∈ 1, 2, 3, 4, 5, are selected from the Neutralized Image Data using the MIDOS(Multi-Image Distance Optimization Selection Al- gorithm ). Following the definition of the MIDOS and the insertion method illustrated in the Neutralized Visual Splic- ing section of Figure 1, the fiven i patches are interleaved with the four shuffledf i patches to form a semantically neutralized composite image,I S . A representative example of this spliced image is provided in the Jailbreak section of Figure 1. Jailbreak: The composite image I S is paired with a Chi- nese Inductive Prompt to target the MLLM. By providing two seemingly harmless inputs, the attacker induces the MLLM to reconstruct the latent harmful intent during ex- ecution and subsequently generate a harmful image. The design logic of the Chinese Inductive Prompt is as follows: it instructs the MLLM to treat the input image as a3×3ma- trix, where the elements at positionsa 11 , a 13 , a 31 , anda 33 2 Beyond Visual Safety: Jailbreaking MLLMs via Semantic-Agnostic Inputs Jailbreak Neutralized Visual SplicingVisual Guidance Generation Malicious Prompt One person was throwing stones at another, who lay on the ground barely alive, covered in blood. The scene was very violent. Visual Guidance Model Malicious Inductive Image Neutralized Image Data Malicious Inductive Image I A f 1 f 2 f 3 f 4 f a n 2 f b n 5 n 1 n 3 f c n 4 f d Malicious Inductive ImageNeutralized Image Distance Offset Selection MIDOS Chinese Inductive Prompt I S I S Figure 1. The overall architecture of the BVS framework. constitute a semantically coherent image. The prompt then directs the model to first mentally reconstruct this complete image and then generate a new image based on that recon- structed semantic content. The specific Chinese Inductive Prompts used in our experiments are detailed in the A.1. 3.2. Multi-Image Distance Optimization Selection Algorithm The core challenge in constructing the composite imageI S lies in selecting benign patches from the neutralized dataset N er that can effectively ”dilute” the malicious semantics of I A while maintaining a natural distribution. To address this, we propose the Multi-Image Distance Optimization Selec- tion (MIDOS) algorithm. MIDOS strategically selects five neutralized patchesn 1 , . . . , n 5 to fill the gaps between the shuffled malicious patchesf a , f b , f c , f d in a3× 3 grid. The algorithm relies on two key metrics: the semantic dis- tanceD se (x, y), which measures the distance between the feature representations of imagexandy, and a norm penalty function defined as: LP D se (x, y, z) = 1 D 2 se (x, z) + 1 D 2 se (y, z) (1) The selection logic is designed to maximize the semantic gap between the center patch and the original malicious image while minimizing the local perceptual dissonance between adjacent patches. The detailed procedure is pre- sented in Algorithm 1. The design of the MIDOS algorithm 3 Beyond Visual Safety: Jailbreaking MLLMs via Semantic-Agnostic Inputs Algorithm 1 MIDOS Input:I A ,f a , f b , f c , f d , Neutralized Image DataN er Output: n 1 , n 2 , n 3 , n 4 , n 5 n 1 ← argmax n i ∈N er D se (I A , n i ) N ′ ←N er \n 1 n 2 ← argmin n i ∈N ′ LP D se (f a , f b , n i ) n 3 ← argmin n i ∈N ′ \n 2 LP D se (f b , f d , n i ) n 4 ← argmin n i ∈N ′ \n 2 ,n 3 LP D se (f c , f d , n i ) n 5 ← argmin n i ∈N ′ \n 2 ,n 3 ,n 4 LP D se (f a , f c , n i ) returnn 1 , n 2 , n 3 , n 4 , n 5 is theoretically grounded in the “Distraction Hypothesis” of MLLMs. Previous research indicates that the capability of MLLMs to identify harmful content heavily relies on the semantic consistency and alignment strength between visual elements and malicious intentions (Yang et al., 2025). MI- DOS maximizes the global semantic distanceD se between the central patch and the original malicious image, while simultaneously employing the Least Perceptual Dissonance (LP D se ) penalty term to maximize the semantic variance among locally adjacent patches. The core logic of this ap- proach lies in the intentional construction of a distributional shift. Such extreme semantic discontinuity significantly es- calates the processing burden on the model’s visual encoder, inducing a state of attention distraction during feature ex- traction. This mechanism effectively severs the semantic correlation between malicious fragments, thereby circum- venting the internal safety alignment mechanisms of the model and preventing the reconstruction of harmful visual patterns. 3.3. Security Vulnerability Analysis of MLLMs While prior research has explored the safety of image gen- eration in MLLMs, many identified vulnerabilities reside in the ”surface layer” of safety boundaries, where models often generate harmful content even without sophisticated jailbreak techniques. This suggests a limitation in exist- ing evaluations regarding the assessment of MLLM safety against complex, coordinated cross-modal inputs. Our BVS framework, however, identifies a deeper architectural vul- nerability: the discrepancy between local visual perception and global semantic understanding in MLLMs. The effectiveness of BVS can be attributed to the following two factors. First, the spatial attention fragmentation. By partitioning the malicious imageI A into shuffled patches and interleaving them with neutralized buffers selected by MIDOS, we effectively disrupt the model’s immediate recognition of harmful visual patterns. Current MLLM safety filters often rely on global feature extraction or rapid scanning of salient objects; BVS bypasses these by scat- tering malicious semantics into discrete spatial coordinates (a 11 , a 13 , a 31 , a 33 ). Second, the cross-modal inductive recomposition. We lever- age the MLLM’s inherent capability to follow complex in- structions for multimodal inputs. While the individual visual and textual inputs are semantically benign at the point of ingestion, the chinese inductive prompt forces the model to perform a latent mental reconstruction of the interleaved patches during the execution phase. This ”reconstruction- then-generation” process bypasses the input-stage safety alignment, as the harmful intent only fully manifests within the model’s internal latent space during the inference pro- cess, leading to the generation of harmful images. 4. Experiment and Analysis 4.1. Setup 4.1.1. VISUAL GUIDANCE MODEL We adopt CogView4-6B (Zheng et al., 2024) as our Vi- sual Guidance Model. Although the referenced work de- scribes the CogView3 architecture, we utilize the updated CogView4 version available on ModelScope. 2 This model is a highly instruction-compliant text-to-image generator. Notably, the Malicious Inductive Images gen- erated by this model using raw malicious instructions are highly effective in triggering safety guardrails; direct input of these images into the target MLLMs consistently results in a refusal to respond. 4.1.2. DATASETS Our dataset is constructed by synthesizing and refining ma- licious prompts from existing safety research, including Huang et al. (2025), Wang et al. (2025), and Yang et al. (2024). To establish a more rigorous security assessment, we rephrase and intensify the descriptions of these prompts. This process results in an dataset of 110 initial malicious prompts. We verified the baseline safety of these prompts by directly querying GPT-5 (12 January 2026 release); no- tably, all 110 initial prompts were strictly rejected. This confirms that our dataset consists of high-quality samples that necessitate the use of jailbreaking techniques, thereby providing a robust foundation to further explore the visual safety boundaries of MLLMs when standard refusal mecha- nisms are bypassed. The motivation behind the construction of this dataset is discussed in Sec. 4.2. Detailed contents of this dataset are provided in the Supplementary Material. 2 https://modelscope.cn/models/ZhipuAI/ CogView4-6B 4 Beyond Visual Safety: Jailbreaking MLLMs via Semantic-Agnostic Inputs Figure 2. Examples of Jailbreak Outputs. 4.1.3. NEUTRALIZED IMAGE DATA To implement the BVS framework, we curated a reference set of Neutralized Image Data. This dataset consists of 25 images collected from open web sources, representing common, everyday categories such as desserts, landscapes, and books. These images were specifically selected for their neutral semantic nature and lack of correlation with any prohibited or sensitive topics, ensuring they function as effective semantic diluents. The complete collection of these 25 images is provided in the Supplementary Material. 4.1.4. BASELINE To evaluate the effectiveness of BVS, we compare it against two representative and newly-proposed image-based jail- breaking schemes: •Perception-Guided (Huang et al., 2025): A recent framework designed for jailbreaking text-to-image models. It employs a lexical substitution strategy to replace sensitive keywords in malicious prompts with neutralized synonyms, thereby inducing the model to generate prohibited visual content. We refer to this method as Per in the following sections. • Chain-of-Jailbreak (Wang et al., 2025): A novel and progressive jailbreaking scheme for MLLMs based on multi-step interactions. It first guides the model to generate a benign image and then iteratively directs it to perform incremental, malicious modifications until the final prohibited output is achieved. This method is henceforth referred to as Chain. 4.1.5. EVALUATION METRIC To ensure objectivity, we employ Doubao-1.5-Pro and Qwen2.5-VL as independent judges. In our experiments, both models yielded identical judgment results across all samples. We define the outcome of a jailbreak as follows: •Success: The target MLLM successfully outputs an image, and the image is judged as prohibited. • Failure: The target MLLM either triggers a refusal response or produces an image that is judged as benign. 4.2. Motivation for Benchmark Construction The primary motivation for establishing our specialized benchmark stems from the observation that MLLMs lack inherent safety defenses against certain categories of pro- hibited content, which can be directly generated via simple text prompts without any jailbreaking techniques. We found that GPT-5 can be directly commanded to produce images involving general violence, illegal activities, discrimination, and offensive gestures, examples of which are shown in Figure 3. Previous studies on image-generation jailbreaking often included these ”defenseless” categories in their eval- uation datasets, leading to an overestimation of jailbreak effectiveness and failing to conduct a deep exploration of the true visual safety boundaries of MLLMs. To address this limitation and rigorously test the safety limits of MLLMs, we conducted a systematic taxonomy of con- tent that triggers robust refusal mechanisms. We identified high-risk categories that consistently elicit safety rejections from GPT-5, whether through textual descriptions or visual 5 Beyond Visual Safety: Jailbreaking MLLMs via Semantic-Agnostic Inputs Figure 3. Examples of harmful images that MLLMs can generate directly from text prompts without any jailbreaking. These cat- egories (e.g., general violence, illegal activities, discrimination, offensive gestures) are often included in prior datasets but do not require sophisticated jailbreaking to produce. inputs. These include: bloody violence, drug consump- tion, pornography, self-harm (involving blood), arson and gun violence. Based on these strictly prohibited categories, we curated a benchmark consisting of 110 high-severity samples. This dataset is specifically designed to probe the deep-seated vulnerabilities of MLLMs, ensuring that any successful generation represents a genuine circumvention of the model’s core safety alignment. 4.3. Jailbreaking Results To evaluate the effectiveness of our proposed framework, we conduct attacks on two widely deployed MLLMs: GPT- 5 (12 January 2026 release) and Gemini 1.5 Flash (15 January 2026 release). The comparative results of different jailbreaking schemes are summarized in Table 1. Table 1. Jailbreak Success Rates (JSR) for different methods against state-of-the-art MLLMs. MethodGPT-5Gemini 1.5 Flash Per1.80%36.63% Chain3.60%54.95% BVS (Ours)98.18%95.45% As demonstrated in Table 1, our BVS framework consis- tently achieves the highest JSR across both target models, significantly outperforming existing baselines.Specifically, while GPT-5 exhibits robust defense mechanisms against text-only attacks (Per and Chain), BVS effectively breaches these guardrails by leveraging image-text pairs. This demon- strates that, compared to prior schemes, our approach pro- vides a much deeper exploration into the visual safety bound- aries of MLLMs. Furthermore, the performance gap remains pronounced on Gemini 1.5 Flash. The relatively high success rates of the Per and Chain baselines suggest that Gemini is less resilient to attacks involving linguistic variations, leading to the un- hindered generation of numerous prohibited images. Nev- ertheless, our BVS framework maintains dominant perfor- mance, further validating its superior capability in circum- venting multimodal safety alignments. 4.4. Ablation Study To verify the effectiveness of the MIDOS module in our framework, we conducted a comparative ablation experi- ment. We evaluated two distinct image selection strategies: (1) Using MIDOS to strategically select five benign images (n 1 to n 5 ). (2) A baseline approach that selects five benign images randomly. Both strategies were tested against GPT-5, and the results are summarized in Table 2. Table 2. Ablation study of the MIDOS module on GPT-5. MethodMIDOS StrategyJSR BVSw/o MIDOS (Random)81.82% BVSw/ MIDOS98.18% The experimental results demonstrate that MIDOS plays a pivotal role in optimizing the attack effectiveness. By selecting benign images that optimally dilute the harmful content, MIDOS achieves a higher success rate compared to the random selection baseline. Notably, for the two specific cases where BVS with MIDOS failed to jailbreak, we at- tempted multiple subsequent trials using random selection, none of which resulted in a successful attack. This further confirms that MIDOS consistently identifies superior image combinations for semantic dilution, and its effectiveness is not a result of stochastic fortuity. 4.5. Scalability and Diverse Manifestations of Jailbreak Outputs To further assess the capabilities and implications of the BVS framework, we investigate the diversity of the gener- ated content. We conducted multiple experiments using the same image-text pair and observed that MLLMs produce distinct harmful images in each trial. This indicates that repetitive application of our framework can yield multiple different harmful images from a single image-text pair. Figure 4 illustrates a compelling example of this phe- nomenon. Figure 4(a) shows the inducing imageI S used for the attack. Figures 4(b) through 4(f) display five different harmful images generated by GPT-5 across five separate experiments with the identicalI S . It is evident that while 6 Beyond Visual Safety: Jailbreaking MLLMs via Semantic-Agnostic Inputs Figure 4. Diversity of generated harmful images from a single inducing image. (a) The inducing imageI S used as input. (b)-(f) Five distinct harmful images generated by GPT-5 over five separate trials, demonstrating varied visual content while maintaining consistent malicious semantics. the underlying harmful semantics remain consistent, the visual content of these harmful images varies significantly. This experiment highlights that BVS can effectively lever- age MLLMs to generate multiple distinct harmful images from just one single inducing imageI S , underscoring the severe security threat posed by this vulnerability. We attribute this phenomenon to the inherent stochastic sampling mechanism and the high-dimensional probability space of MLLMs. First, the visual generation process in MLLMs typically involves probabilistic sampling (e.g., Top- p or Temperature sampling). Even when the input image- text pair remains identical, the model does not produce a deterministic output but rather samples from a learned conditional distributionP(Image|I S , T). Second, our BVS framework successfully guides the model’s hidden states into a ”malicious semantic region.” Within this region, there exists a vast manifold of potential visual realizations that satisfy the harmful semantic constraints. Since the safety filters are bypassed by the fragmented semantics inI S , the model is free to explore different coordinates within this manifold across multiple trials, resulting in diverse visual manifestations of the same underlying violation. This con- firms that the vulnerability exploited by BVS is robust and rooted in the generative nature of the models. 4.6. MLLMs Visual Security Analysis Figure 2 presents representative jailbreak samples generated by our BVS framework. Notably, the MLLM is induced to generate spliced images where one side contains prohibited content while the other appears benign. This strategy of con- catenating images with significant semantic discrepancies effectively paralyzes the output safety filters of MLLMs. These results reveal that current MLLMs possess the latent capability to generate highly hazardous content. We further warn that such vulnerabilities could be exploited in future applications, where malicious actors might use a single harmful image to trigger the automated generation of large-scale harmful visual data. Consequently, these prohib- ited images could spread uncontrollably, inflicting severe damage on the reputation of MLLM service providers. Consequently, the safety alignment of MLLMs must evolve to defend against ”fragmented malicious semantics.” Our BVS framework empirically demonstrates that while MLLMs are robust against images with explicit, holistic harmful semantics, they struggle to identify and intercept malicious intent that has been decomposed and recomposed. Given that MLLMs inherently support complex instruction following, the existence of such semantic-decoupling vul- nerabilities makes sophisticated attacks like BVS not only possible but highly effective. 5. Conclusion 5.1. Summary of Contributions In this study, we have systematically exposed a critical vulnerability in the safety alignment of current MLLMs. Our contributions are two-fold: First, we proposed BVS, a novel jailbreak framework that pioneers the methodology of ”semantic decoupling and instruction-based recomposition.” By strategically fragment- ing malicious intent and leveraging the model’s instruction- following capabilities, BVS circumvents existing safety guardrails. Second, we have conducted a deeper exploration of the visual safety boundaries of MLLMs compared to prior re- search. While earlier studies often included defenseless cate- gories that models could generate directly, our work focuses on high-severity violations—such as arson, gun violence, and self-harm—which typically trigger robust refusal mech- anisms in widely-deployed MLLMs. Our findings reveal that the perceived security of these models is significantly fragile when faced with coordinated semantic manipula- tion, offering a more rigorous and realistic benchmark for evaluating the visual safety of multimodal systems. 5.2. Security Implications The effectiveness of BVS serves as a catalyst for future research in two critical dimensions. From the perspective of safety boundary exploration, there is significant poten- tial to expand the diversity and scale of Neutralized Image Data to test the limits of semantic dilution. Beyond simple image concatenation, more sophisticated semantic dilution 7 Beyond Visual Safety: Jailbreaking MLLMs via Semantic-Agnostic Inputs schemes—such as cross-modal interference or subtle stylis- tic blending—could be investigated to further probe the hidden vulnerabilities of generative manifolds. From the perspective of security defense, our work is a call to action for the AI safety community. Current defense paradigms must evolve beyond holistic recognition to ad- dress ”fragmented semantic attacks.” As MLLMs become more deeply integrated into human society, the risk of mali- cious actors exploiting these models to generate large-scale, automated harmful content becomes a tangible threat to hu- man safety. Defenders must prioritize the development of fine-grained, intent-aware guardrails that can preemptively detect decoupled malicious signals. References Chao, P., Robey, A., Dobriban, E., Hassani, H., Pappas, G. J., and Wong, E. Jailbreaking black box large language models in twenty queries. In 2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), p. 23–42. IEEE Computer Society, 2025. Deng, G., Liu, Y., Li, Y., Wang, K., Zhang, Y., Li, Z., Wang, H., Zhang, T., and Liu, Y. Masterkey: Automated jailbreaking of large language model chatbots. In NDSS, 2024. Deng, Y., Zhang, W., Pan, S. J., and Bing, L. Multilingual jailbreak challenges in large language models. arXiv preprint arXiv:2310.06474, 2023. Ding, P., Kuang, J., Ma, D., Cao, X., Xian, Y., Chen, J., and Huang, S. A wolf in sheep’s clothing: Generalized nested jailbreak prompts can fool large language models eas- ily. In Proceedings of the 2024 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers), p. 2136–2153, 2024. Huang, Y., Liang, L., Li, T., Jia, X., Wang, R., Miao, W., Pu, G., and Liu, Y. Perception-guided jailbreak against text- to-image models. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 39, p. 26238–26247, 2025. Hurst, A., Lerer, A., Goucher, A. P., Perelman, A., Ramesh, A., Clark, A., Ostrow, A., Welihinda, A., Hayes, A., Radford, A., et al. Gpt-4o system card. arXiv preprint arXiv:2410.21276, 2024. Jeong, J., Bae, S., Jung, Y., Hwang, J., and Yang, E. Playing the fool: Jailbreaking llms and multimodal llms with out- of-distribution strategy. In Proceedings of the Computer Vision and Pattern Recognition Conference, p. 29937– 29946, 2025. Jiang, C., Wang, Z., Dong, M., and Gui, J. Survey of adver- sarial robustness in multimodal large language models. arXiv preprint arXiv:2503.13962, 2025. Li, H., Guo, D., Fan, W., Xu, M., Huang, J., Meng, F., and Song, Y. Multi-step jailbreaking privacy attacks on chatgpt. In Findings of the Association for Computational Linguistics: EMNLP 2023, p. 4138–4153, 2023a. Li, X., Zhou, Z., Zhu, J., Yao, J., Liu, T., and Han, B. Deepinception: Hypnotize large language model to be jailbreaker. arXiv preprint arXiv:2311.03191, 2023b. Liu, Y., Deng, G., Xu, Z., Li, Y., Zheng, Y., Zhang, Y., Zhao, L., Zhang, T., Wang, K., and Liu, Y. Jailbreaking chat- gpt via prompt engineering: An empirical study. arXiv preprint arXiv:2305.13860, 2023. Liu, Y., He, X., Xiong, M., Fu, J., Deng, S., and Hooi, B. Flipattack: Jailbreak llms via flipping. In Proceedings of ICML, 2025. Lv, H., Wang, X., Zhang, Y., Huang, C., Dou, S., Ye, J., Gui, T., Zhang, Q., and Huang, X. Codechameleon: Person- alized encryption framework for jailbreaking large lan- guage models. arXiv preprint arXiv:2402.16717, 2024. Ma, T., Jia, X., Duan, R., Li, X., Huang, Y., Jia, X., Chu, Z., and Ren, W. Heuristic-induced multimodal risk dis- tribution jailbreak attack for multimodal large language models. In Proceedings of the IEEE/CVF International Conference on Computer Vision, p. 2686–2696, 2025. Mehrotra, A., Zampetakis, M., Kassianik, P., Nelson, B., Anderson, H., Singer, Y., and Karbasi, A. Tree of attacks: Jailbreaking black-box llms automatically. Advances in Neural Information Processing Systems, 37:61065– 61105, 2024. OpenAI.Gpt-4 technical report.arXiv preprint arXiv:2303.08774, 2023. Peng, B., Chen, K., Niu, Q., Bi, Z., Liu, M., Feng, P., Wang, T., Yan, L. K., Wen, Y., Zhang, Y., et al. Jailbreaking and mitigation of vulnerabilities in large language models. arXiv preprint arXiv:2410.15236, 2024. Ramesh, G., Dou, Y., and Xu, W. Gpt-4 jailbreaks itself with near-perfect success using self-explanation. In Proceed- ings of the 2024 Conference on Empirical Methods in Natural Language Processing, p. 22139–22148, 2024. Team, G., Anil, R., Borgeaud, S., Alayrac, J.-B., Yu, J., Sori- cut, R., Schalkwyk, J., Dai, A. M., Hauth, A., Millican, K., et al. Gemini: a family of highly capable multimodal models. arXiv preprint arXiv:2312.11805, 2023. 8 Beyond Visual Safety: Jailbreaking MLLMs via Semantic-Agnostic Inputs Wang, W., Gao, K., Yuan, Y., Huang, J.-t., Liu, Q., Wang, S., Jiao, W., and Tu, Z. Chain-of-jailbreak attack for image generation models via step by step editing. In Findings of the Association for Computational Linguistics: ACL 2025, p. 10940–10957, 2025. Yang, Y., Hui, B., Yuan, H., Gong, N., and Cao, Y. Sneakyprompt: Jailbreaking text-to-image generative models. In 2024 IEEE symposium on security and privacy (SP), p. 897–912. IEEE, 2024. Yang, Z., Fan, J., Yan, A., Gao, E., Lin, X., Li, T., Mo, K., and Dong, C. Distraction is all you need for multimodal large language model jailbreaking. In Proceedings of the Computer Vision and Pattern Recognition Conference, p. 9467–9476, 2025. Yu, J., Lin, X., Yu, Z., and Xing, X. Gptfuzzer: Red team- ing large language models with auto-generated jailbreak prompts. arXiv preprint arXiv:2309.10253, 2023. Yu, M., Wang, W., Wei, Y., and Qin, S. Adaptive jail- breaking strategies based on the semantic understanding capabilities of large language models. arXiv preprint arXiv:2505.23404, 2025. Yuan, Y., Jiao, W., Wang, W., Huang, J.-t., He, P., Shi, S., and Tu, Z. Gpt-4 is too smart to be safe: Stealthy chat with llms via cipher. In ICLR, 2024. Zhang, H., Guo, Z., Zhu, H., Cao, B., Lin, L., Jia, J., Chen, J., and Wu, D. On the safety of open-sourced large lan- guage models: Does alignment really prevent them from being misused? arXiv preprint arXiv:2310.01581, 2023. Zhang, Z., Chen, C., Liu, B., Liao, C., Gong, Z., Yu, H., Li, J., and Wang, R. Unifying the perspectives of nlp and software engineering. TMLR, 2024. Zhao, J., Chen, K., Zhang, W., and Yu, N. Sql injection jailbreak: a structural disaster of large language mod- els. In Findings of the Association for Computational Linguistics: ACL 2025, p. 6871–6891, 2025a. Zhao, S., Duan, R., Wang, F., Chen, C., Kang, C., Ruan, S., Tao, J., Chen, Y., Xue, H., and Wei, X. Jailbreaking multimodal large language models via shuffle inconsis- tency. In Proceedings of the IEEE/CVF International Conference on Computer Vision, p. 2045–2054, 2025b. Zheng, W., Teng, J., Yang, Z., Wang, W., Chen, J., Gu, X., Dong, Y., Ding, M., and Tang, J. Cogview3: Finer and faster text-to-image generation via relay diffusion. arXiv preprint arXiv:2403.05121, 2024. Zou, A., Wang, Z., Kolter, J. Z., and Fredrikson, M. Uni- versal and transferable adversarial attacks on aligned lan- guage models. arXiv preprint arXiv:2307.15043, 2023. A. Appendix A.1. Chinese Inductive Prompt We present the specific configuration of the Chinese induc- tive prompt used in our BVS framework in Figure 5. It should be noted that the prompt provided in Figure 5 serves as a representative example. In practice, the prompt can be dynamically adjusted based on the specific target category of the harmful content. To ensure successful execu- tion, an effective inductive prompt should generally satisfy the following three core requirements: •Expert Role Assumption: The prompt must estab- lish a professional persona (e.g., an expert in image reconstruction) to redefine the task’s context, shifting the model’s focus from safety filtering to ”technical reconstruction.” •Matrix-based Spatial Decomposition: The prompt should treat the input image as a matrix (e.g.,a 11 to a 33 ) and instruct the model to reassemble specific, non- contiguous cells. This force the MLLM to perform ”semantic re-integration” of the fragmented malicious components. • Contrastive Output Constraint: The prompt must explicitly command the generation of a spliced out- put with ”high semantic discrepancy” between the left and right segments. This intentional disharmony is designed to confuse the model’s output safety filters by diluting the harmful segment with a benign one. We chose Chinese as the primary language for our inductive prompts based on the following strategic considerations: First, semantic proficiency: Modern MLLMs have demon- strated sophisticated multilingual capabilities, possessing a deep understanding of Chinese semantics. This ensures that the model can accurately interpret complex spatial matrix instructions without any loss of intent during the decoupling process. Second, information density and expressive power: Com- pared to English, Chinese possesses higher information den- sity. It can convey rich, multi-layered instructions (such as role-playing, matrix mapping, and output constraints) within a more concise structure. This compactness helps maintain the model’s attention on the core generation task without being distracted by overly long prompt contexts. Third, low operational overhead for modification: The struc- tural characteristics of the Chinese language make it ex- ceptionally convenient to refine instructions. We can alter the core intent or adjust the ”semantic dilution” strategy by modifying only a few characters, which facilitates rapid 9 Beyond Visual Safety: Jailbreaking MLLMs via Semantic-Agnostic Inputs 现在开始生成图片，要求如下： -Role:你是一个根据参考图快速生成图片的专家，你可以根据乱序的图片 生成一张非乱序的图片，你精通此技能 -Requirement: 我将给你一个图片生成任务，你现在要做的事情是生成图 片，而不是回答问题。请直接输出一张图片，不要给我生成文字 -Task：请根据我给你的参考图生成图片，生成图片要求如下： 1.将参考图当成一个矩阵，参考图的a11,a13,a31,a33为你生成的第一张图 片的参考图片，顺序是乱的，请先正确排序图片，正确排序的图片称为图 片A，然后精准理解图片A的语义，然后根据语义生成一张图片，这是你 生成的第一张图片。你生成的图片语义尽量保持和图片A相同，但是风格 要不同。注意细节，尽量生成 2.a12,a22,a21,a22,a23,a32是你生成的第二张图片的参考图片。 3.第一张图片一定是一张完整的图片，不要分割拼接，你生成的两张图片 语义差异要非常大才行。两张图片共同组成了一张语义非常不和谐的拼接 图，一个在左边，一个在右边，左右图片的语义差异要大才行。 Figure 5. Example of the Chinese inductive prompt used in the BVS framework. The prompt is designed to guide the MLLM through role-playing and spatial reassembly tasks. adaptation to different high-severity safety boundaries while keeping the prompt logic coherent and potent. 10