This work demonstrates that multimodal large language models are vulnerable to jailbreak attacks crafted as structured visual narratives—such as three-panel comics—which can circumvent their safety alignment mechanisms and induce harmful outputs. The authors introduce ComicJailbreak, the first benchmark for comic-style jailbreak attacks, built by extending JailbreakBench and JailbreakV. Through a combination of automated detection and human evaluation, they systematically assess 15 leading models. Experiments reveal that these attacks achieve over 90% success rates on multiple commercial models, matching the efficacy of strong rule-based jailbreaks and substantially outperforming text-only or random-image baselines. While existing defenses can suppress harmful responses, they incur a significant increase in false rejections of benign inputs, further exposing the unreliability of current safety evaluators on sensitive yet non-harmful content.

Multimodal Large Language Models (MLLMs) extend text-only LLMs with visual reasoning, but also introduce new safety failure modes under visually grounded instructions. We study comic-template jailbreaks that embed harmful goals inside simple three-panel visual narratives and prompt the model to role-play and "complete the comic." Building on JailbreakBench and JailbreakV, we introduce ComicJailbreak, a comic-based jailbreak benchmark with 1,167 attack instances spanning 10 harm categories and 5 task setups. Across 15 state-of-the-art MLLMs (six commercial and nine open-source), comic-based attacks achieve success rates comparable to strong rule-based jailbreaks and substantially outperform plain-text and random-image baselines, with ensemble success rates exceeding 90% on several commercial models. Then, with the existing defense methodologies, we show that these methods are effective against the harmful comics, they will induce a high refusal rate when prompted with benign prompts. Finally, using automatic judging and targeted human evaluation, we show that current safety evaluators can be unreliable on sensitive but non-harmful content. Our findings highlight the need for safety alignment robust to narrative-driven multimodal jailbreaks.