Pith. sign in

REVIEW 4 major objections 33 references

Detector-only jailbreak scores overstate real risk in open text-to-image models; under a stricter success rule, safety across 200+ public models is uneven, not uniformly broken.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-10 17:13 UTC pith:E625YRDV

load-bearing objection Large, useful first map of Hugging Face T2I safety under a refined jailbreak metric; the overestimation claim is real, but high-risk labels and rankings still lean on a small GT set and unreported filter knobs. the 4 major comments →

arxiv 2607.07827 v1 pith:E625YRDV submitted 2026-07-08 cs.CR

Open Models, Open Risks: Measuring Unsafe Generation in Text-to-Image Models In the Wild

classification cs.CR
keywords Text-to-Image ModelJailbreakNot Safe For WorkIn the WildAttack Success RateSemantic DriftOpen-Source SafetyModel Lineage
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Laboratory jailbreak studies on a few canonical text-to-image models leave the safety of the large public open-source ecosystem unclear. Detector-based attack-success rates count an image as a jailbreak whenever an NSFW classifier fires, but in the wild many of those hits come from semantic drift (the image does not realize the intended harmful prompt) or generation artifacts (distorted, unusable pictures). The paper introduces Advanced ASR (AASR), which counts success only when the image is detector-unsafe, stays semantically aligned with the prompt, and is not dominated by visual failure. Measured this way on more than 200 Hugging Face models under three standard jailbreak prompt sets, many downstream checkpoints still show non-trivial resistance even without explicit safety modules, while a smaller set of high-risk models—some openly NSFW-branded, some benign-looking derivatives—produce coherent unsafe content, including under ordinary clean prompts. The work therefore reframes open T2I safety as both a measurement problem and a release-and-lineage problem, and reports the high-risk cases to the hosting platform.

Core claim

Detector-only jailbreak ASR substantially overestimates practical in-the-wild unsafe generation because of semantic drift and generation artifacts. Under AASR—unsafe and semantically aligned and not artifact-dominated—safety across 200+ public T2I models is heterogeneous: many retain non-trivial resistance without post-hoc safeguards, while a subset of high-risk models (explicit NSFW releases and seemingly benign derivatives) produce coherent unsafe content, including under benign prompts.

What carries the argument

Advanced Attack Success Rate (AASR): a three-stage filter that keeps a generation only if an NSFW detector flags it, an adaptive CLIPScore check confirms prompt–image semantic alignment above a distribution-calibrated threshold, and an artifact detector does not flag visual collapse. This is the quantity used for all large-scale ranking and high-risk thresholding.

Load-bearing premise

That the three-stage AASR pipeline, tuned with free filter parameters and validated by hand on only eighteen models, is a faithful enough stand-in for real-world “semantically valid and visually plausible” unsafe generation that its rankings and 0.40 high-risk cutoff can support ecosystem-wide conclusions.

What would settle it

Re-run the same 200-model, three-attack evaluation with a different NSFW detector, a fixed rather than adaptive semantic threshold, or a larger independent human ground-truth set; if the large ASR–AASR gap collapses, the architecture/family rankings reverse, or the models above the 0.40 threshold no longer look high-risk under clean prompts, the central measurement claim fails.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Safety claims for open T2I models should report AASR-style success, not detector-only ASR, or they will systematically overstate exploitability.
  • Platforms cannot rely on model-card labels alone; behavioral screening and lineage tracing are needed to catch both explicit NSFW checkpoints and silent safety loss under fine-tuning.
  • Architecture and inheritance matter: SDXL derivatives trend riskier over time while other families do not, so base-model choice and fine-tuning practice become first-order safety variables.
  • High-risk behavior can appear under ordinary clean prompts, so governance must treat release-time capability, not only adversarial prompting, as the threat surface.
  • Once an unsafe tendency enters a lineage, later derivatives can preserve or amplify it, turning single high-risk releases into a supply-chain problem.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If AASR becomes a community standard, many previously published lab jailbreak numbers will need re-interpretation before they can guide open-source risk estimates.
  • The same measurement gap likely applies to other open generative modalities (video, 3D) where detectors fire on drift or artifacts, suggesting a broader need for “valid-and-plausible” success definitions.
  • Publishers who fine-tune popular bases without safety-preserving data filters may be creating the bulk of silent high-risk models, so pre-release AASR checks could be a low-cost lever.
  • Category-inconsistent safety (stronger resistance to sexual content than to violence in the measured set) implies that single-category red-teaming will miss the real risk surface.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

4 major / 0 minor

Summary. The paper argues that detector-only jailbreak ASR substantially overestimates practical unsafe generation for in-the-wild T2I models because of semantic drift and generation artifacts, and introduces Advanced ASR (AASR): an output counts as success only if it is MHSC-unsafe, semantically aligned with the prompt (adaptive CLIPScore filtering, Algorithm 1), and not artifact-dominated (HADM). Using AASR, the authors evaluate 200+ Hugging Face T2I models under three fixed jailbreak sets (UDTP, 4chan, MMA; N=30 prompts each) and report highly heterogeneous safety: many derivatives retain non-trivial resistance without post-hoc safeguards, while a subset of high-risk models—explicitly NSFW-oriented releases and seemingly benign derivatives—produce coherent unsafe content, including under clean prompts. They analyze attack dependence, architecture, safety inheritance, and temporal trends, calibrate a 0.40 average-AASR high-risk rule from the lower quartile of explicitly NSFW reference models, and document/report high-risk cases to Hugging Face.

Significance. If the measurement claims hold, this is a timely and useful contribution to T2I safety: it shifts evaluation from lab-style detector bypass on a few base models to ecosystem-scale measurement of open checkpoints, and it makes a concrete methodological point that detector-positive outputs often fail semantic or visual plausibility criteria. Strengths include the scale of the 200+ model sweep under a unified pipeline, the structured analyses (architecture, inheritance chains, release-time trends), the explicit lab-vs-wild threat-model distinction, and the practical step of tracing and reporting high-risk releases. Table 1 provides direct evidence that ASR exceeds manual ground truth while AASR tracks GT more closely on the validated subset. The work is primarily empirical measurement rather than a new attack or defense; its lasting value depends on whether AASR rankings and the high-risk labels are stable under detector/filter choices.

major comments (4)
  1. Table 1 validates AASR only on 18 models × 200 MMA images (3,600 outputs) with manual GT. The ecosystem claims (Findings 1–2, architecture/temporal rankings, and the high-risk set) rest on applying this pipeline to 200+ models and three attack sets. Without GT or inter-annotator checks on a broader stratified sample (other architectures, UDTP/4chan, clean-prompt setting in §5.2), it is unclear whether AASR remains closer to human judgment outside the MMA subset, or whether model orderings change under alternative human criteria for “semantically valid and visually plausible.”
  2. §3.2 Eq. (1) and Algorithm 1: AASR depends on free parameters (deviation factor k for t=μ−kσ, keyword-overlap δ, diversity γ) and on fixed tools (MHSC, CLIP encoders, HADM). The main text does not report chosen values, ablations, or rank-correlation under modest parameter/detector swaps. If re-ranking or threshold crossings are common, Findings 1–2 and the platform report inherit filter artifacts rather than intrinsic model safety. A sensitivity table (Spearman rank of AASR; fraction of models crossing 0.40) is load-bearing for the central measurement claim.
  3. §5.1 Eqs. (2)–(3): the 0.40 high-risk cutoff is the lower quartile of average AASR among models already labeled NSFW-oriented, then applied with the same AASR stack to flag unlabeled models (e.g., SDXL-WAI-80, SDXL-JankuV5). This is operationally circular for “second-category” risk: the reference group and the metric share the same detector pipeline, and Table 3 shows several explicit-NSFW models with low AASR under some conditions. The paper should either justify transfer with an independent criterion (human audit, clean-prompt rates in Table 5, download-weighted risk) or present the 0.40 rule as a reporting heuristic with uncertainty bounds, not as a calibrated safety threshold.
  4. §4.1: each attack set uses only 30 fixed prompts, and iterative/adaptive methods (STEPS, FGPI) are excluded for comparability. That design choice is reasonable for scale, but absolute AASR levels and “attack-conditioned” Finding 3 may be sensitive to the particular 30-prompt draws and to category mix (Appendix Table 4). Report confidence intervals or bootstrap over prompt subsets, and state clearly that results measure relative vulnerability under fixed templates rather than worst-case jailbreak success.

Circularity Check

1 steps flagged

Empirical measurement paper; AASR is an operational filter stack validated against separate human labels, not a quantity derived from itself. Only mild operational self-reference in the RQ3 high-risk threshold.

specific steps
  1. fitted input called prediction [§5.1 High-Risk Model Identification, Eqs. (2)–(3) and surrounding text]
    "We use the lower quartile of this reference distribution as a conservative anchor... Because the 4chan condition is systematically weaker, we use the average AASR across the three jailbreak datasets as the primary criterion and set the threshold to 0.40, which corresponds to the lower quartile of the first-category distribution. A model is flagged as a second-category high-risk model if it is not explicitly labeled as NSFW-oriented but satisfies AASR ≥ 0.40"

    The high-risk cutoff is fitted as the lower quartile of AASR on models already chosen for explicit NSFW release intent, then used to label other models as high-risk when their AASR meets that same cutoff. Category-2 “high-risk” status is therefore partly inherited from the reference group’s AASR distribution by construction. Mild only: the paper states this as empirical calibration, not as an independent prediction of a different observable, and category-1 models are identified from release metadata rather than from AASR alone.

full rationale

This paper does not present a first-principles derivation chain. Its central claims are empirical: (i) detector-only ASR overestimates practical unsafe generation relative to manual ground truth; (ii) a three-stage operational metric AASR (MHSC ∧ adaptive CLIP semantic filter ∧ ¬HADM) tracks GT more closely on 18 models / 3,600 images; (iii) under AASR, 200+ Hugging Face T2I models show heterogeneous safety; (iv) a subset of high-risk models is identified and traced. AASR is defined as a success criterion, then checked against independent human annotations—not defined as the GT it is said to approximate—so it is not self-definitional. There is no self-citation load-bearing uniqueness theorem, no ansatz smuggled from the authors’ prior work, and no renaming of a known closed-form result. The only mild circularity-adjacent step is RQ3’s high-risk rule: the 0.40 cutoff is the lower quartile of average AASR on models already metadata-labeled NSFW-oriented, then applied to flag unlabeled models. That is transparent empirical calibration of a classifier threshold from a reference group on the same metric, not a fitted parameter re-sold as an independent prediction of a different quantity. Score 1 reflects that single operational self-reference; the ecosystem findings remain external measurements against fixed prompts, detectors, and (for AASR validation) human labels.

Axiom & Free-Parameter Ledger

5 free parameters · 4 axioms · 1 invented entities

The central claims rest on operational definitions of jailbreak success and high risk, detector/tool choices, sampling design, and a calibrated threshold—not on new physical entities. Free parameters in adaptive filtering and the 0.40 high-risk cutoff are load-bearing. Domain assumptions include that open Hugging Face checkpoints represent the “in-the-wild” threat model and that MHSC/CLIP/HADM jointly track practical NSFW exploitability.

free parameters (5)
  • semantic consistency threshold τ_s / adaptive lower bound t = μ − kσ
    Controls which MHSC-positive images survive semantic-drift filtering; k is a free deviation factor in Algorithm 1 and directly changes AASR.
  • keyword-overlap threshold δ and diversity threshold γ
    Hand-set filters in Algorithm 1 that drop keyword-dominated or low-diversity generations; not derived from first principles.
  • high-risk AASR threshold 0.40
    Set as lower quartile of average AASR over an explicit NSFW reference group; used to flag second-category high-risk models.
  • prompt sample size N=30 per attack set
    UDTP has 30 prompts; 30 fixed samples from 4chan and MMA define all model scores—sampling choice affects rankings.
  • images per model in GT study (200) and clean-prompt study (200)
    Fixed evaluation budgets that determine empirical rates without reported uncertainty.
axioms (4)
  • domain assumption In-the-wild T2I risk is well captured by locally deployed open Hugging Face checkpoints under grey-box prompt attacks without commercial black-box guardrails.
    Section 2.2 defines lab vs wild and excludes DALL·E-style attacks; conclusions about the ecosystem inherit this scope.
  • domain assumption MHSC NSFW detection plus CLIP semantic alignment plus HADM artifact detection jointly approximate human judgment of practical unsafe generation.
    Equation (1) and §3.2 make AASR depend on these tools; only partially checked via 18-model manual GT.
  • standard math Standard statistical operations (means, std, CLIP cosine similarity, indicator averages) are valid for defining AASR and adaptive thresholds.
    Used throughout Eq. (1) and Algorithm 1.
  • ad hoc to paper Lower-quartile calibration of a reference high-risk group yields a conservative, transferable high-risk cutoff for unlabeled models.
    §5.1 cites general threshold-from-benchmark practice but the 0.40 rule is paper-specific operationalization.
invented entities (1)
  • Advanced Attack Success Rate (AASR) no independent evidence
    purpose: Refine jailbreak success to require unsafe, semantically aligned, and non-artifact generations for in-the-wild evaluation.
    Defined in §3.2 Eq. (1); independent evidence is partial via correlation with manual GT on 18 models, not an external standard metric.

pith-pipeline@v1.1.0-grok45 · 38511 in / 3547 out tokens · 56274 ms · 2026-07-10T17:13:43.446568+00:00 · methodology

0 comments
read the original abstract

Existing safety studies on text-to-image (T2I) jailbreaks are largely conducted in controlled in-the-lab settings, typically on a small number of canonical models. As a result, the current safety status of the rapidly growing in-the-wild T2I ecosystem remains unclear. This uncertainty is amplified by two factors: existing detector-based metrics are designed for controlled evaluation, and in-the-wild risks may arise not only from adversarial prompting, but also from unsafe release practices and unsafe model derivatives. In this paper, we present a large-scale empirical study of in-the-wild T2I safety through the lens of jailbreak. We first show that detector-only jailbreak metrics substantially overestimate practical risk over in the wild due to semantic drift and generation artifacts, and we introduce Advanced ASR to better capture semantically valid and visually plausible unsafe generation. Using this refined metric, we evaluate 200+ in-the-wild T2I models from Hugging Face under three representative jailbreak attacks. Our results show that many downstream models retain a non-trivial degree of safety even without explicit post-hoc safeguards, indicating that safety degradation in the wild is neither universal nor uniform. At the same time, we identify a set of high-risk models, including explicitly NSFW-oriented releases as well as seemingly benign models whose unsafe behavior is only exposed through systematic evaluation. We further trace these models to their release context and report high-risk cases to Hugging Face.

Figures

Figures reproduced from arXiv: 2607.07827 by Jianfeng Ma, Jingchun Zhang, Peilin Han, Teng Li, Yang Liu, Yilong Yang, Zhuo Ma.

Figure 1
Figure 1. Figure 1: Examples of Semantic drift and AI Failure. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Distribution of model AASR under three jailbreak [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: AASR distributions of four model families under [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Security analysis of models under the same inheri [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Security trend of different model families. From left to right: SDXL, FLUX, and SD. [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Representative harmful outputs from low-AASR [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

33 extracted references · 33 canonical work pages · 6 internal anchors

  1. [1]

    Alves, Christiaan Ypma, and Joost Visser

    Tiago L. Alves, Christiaan Ypma, and Joost Visser. 2010. Deriving Metric Thresh- olds from Benchmark Data. In2010 IEEE International Conference on Software Maintenance

  2. [2]

    Black Forest Labs. 2024. FLUX. https://github.com/black-forest-labs/flux. Official inference repository for FLUX open-weight models

  3. [3]

    Wayne Chi, Valerie Chen, Anastasios Nikolas Angelopoulos, Wei-Lin Chiang, Aditya Mittal, Naman Jain, Tianjun Zhang, Ion Stoica, Chris Donahue, and Ameet Talwalkar. 2025. Copilot Arena: A Platform for Code LLM Evaluation in the Wild. InProceedings of the 42nd International Conference on Machine Learning (ICML)

  4. [4]

    Boxin Dong, Weizhe Shi, Junjue Chen, Xinyue Ma, Yuze Lin, Yusheng Zhou, Zifan Liu, Shuhao Li, Jie Li, Xinyu Liu, et al. 2023. ART: Automatic Red-teaming for Text-to-Image Models to Protect Benign Users.arXiv preprint arXiv:2310.04408 (2023). https://arxiv.org/abs/2310.04408

  5. [5]

    Ruiqi Dong, Wenjing Pang, ChenJie Pan, Heng-yang Lu, and Chenyou Fan

  6. [6]

    InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM)

    StoryCrafter: Instance-Aligned Multi-Character Storytelling with Diffusion Policy Learning. InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM)

  7. [7]

    Liwei Jiang, Kavel Rao, Seungju Han, Allyson Ettinger, Faeze Brahman, Sachin Kumar, Niloofar Mireshghallah, Ximing Lu, Maarten Sap, Yejin Choi, et al. 2024. WildTeaming at Scale: From In-the-Wild Jailbreaks to (Adversarially) Safer Lan- guage Models. InAdvances in Neural Information Processing Systems (NeurIPS)

  8. [8]

    Schorlemmer, Rohan Sethi, Yung-Hsiang Lu, George K

    Wenxin Jiang, Nicholas Synovic, Matt Hyatt, Taylor R. Schorlemmer, Rohan Sethi, Yung-Hsiang Lu, George K. Thiruvathukal, and James C. Davis. 2023. An Empirical Study of Pre-Trained Model Reuse in the Hugging Face Deep Learning Model Registry. InProceedings of the 45th International Conference on Software Engineering (ICSE). IEEE/ACM, 1655–1667. doi:10.110...

  9. [9]

    Jianming Zhang Kaihong Wang, Lingzhi Zhang. 2024. Detecting Human Artifacts from Text-to-Image Models.arxiv(2024)

  10. [10]

    Hsuan-Kung Lee, Chen-Chih Wu, Shang-Tse Wu, and Pin-Yu Chen. 2023. SneakyPrompt: Jailbreaking Text-to-image Generative Models.arXiv preprint arXiv:2307.06949(2023). https://arxiv.org/abs/2307.06949

  11. [11]

    Dustin Podell, Zion English, Kyle Lacey, Andreas Blattmann, Tim Dockhorn, Jonas Müller, Joe Penna, and Robin Rombach. 2023. SDXL: Improving Latent Diffusion Models for High-Resolution Image Synthesis.arXiv preprint arXiv:2307.01952 (2023)

  12. [12]

    Yuning Qiu, Andong Wang, Chao Li, Haonan Huang, Guoxu Zhou, and Qibin Zhao. 2025. STEPS: Sequential Probability Tensor Estimation for Text-to-Image Hard Prompt Search. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 28640–28650

  13. [13]

    Alec Radford, Jong Wook Kim, Chris Hallacy, Aditya Ramesh, Gabriel Goh, Sandhini Agarwal, Girish Sastry, Amanda Askell, Pamela Mishkin, Jack Clark, Gretchen Krueger, and Ilya Sutskever. 2021. Learning Transferable Visual Models From Natural Language Supervision. InProceedings of the 38th International Conference on Machine Learning (ICML). 8748–8763

  14. [14]

    Colin Raffel, Noam Shazeer, Adam Roberts, Katherine Lee, Sharan Narang, Michael Matena, Yanqi Zhou, Wei Li, and Peter J. Liu. 2020. Exploring the Limits of Transfer Learning with a Unified Text-to-Text Transformer.Journal of Machine Learning Research21, 140 (2020), 1–67

  15. [15]

    Robin Rombach, Andreas Blattmann, Dominik Lorenz, Patrick Esser, and Björn Ommer. 2022. High-Resolution Image Synthesis with Latent Diffusion Models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 10684–10695. doi:10.1109/CVPR52688.2022.01042

  16. [16]

    Sara Mah- davi, Rapha Gontijo Lopes, Tim Salimans, Jonathan Ho, David J

    Chitwan Saharia, William Chan, Saurabh Saxena, Lala Li, Jay Whang, Emily Denton, Seyed Kamyar Seyed Ghasemipour, Burcu Karagol Ayan, S. Sara Mah- davi, Rapha Gontijo Lopes, Tim Salimans, Jonathan Ho, David J. Fleet, and Mo- had Norouzi. 2022. Photorealistic Text-to-Image Diffusion Models with Deep Language Understanding.Advances in Neural Information Proc...

  17. [17]

    Thiruvathukal, and James C

    Patrick Schramowski, Christopher Tauchmann, Kristian Kersting, Xavier Lu, Yiting Qu, Yung-Hsiang Lu, Wenxuan Wang, George K. Thiruvathukal, and James C. Davis. 2023. Unsafe Diffusion: On the Generation of Unsafe Images and Hateful Memes From Text-to-Image Models. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS)...

  18. [18]

    Schuemie, George Hripcsak, Patrick B

    Martijn J. Schuemie, George Hripcsak, Patrick B. Ryan, David Madigan, and Marc A. Suchard. 2016. Robust empirical calibration of p-values using observa- tional data.Statistics in Medicine35, 22 (2016), 3883–3888

  19. [19]

    Schuemie, Patrick B

    Martijn J. Schuemie, Patrick B. Ryan, William DuMouchel, Marc A. Suchard, and David Madigan. 2014. Interpreting observational studies: why empirical calibration is needed to correct p-values.Statistics in Medicine33, 2 (2014), 209–218

  20. [20]

    Christoph Schuhmann, Romain Beaumont, Richard Vencu, Cade Gordon, Ross Wightman, Mehdi Cherti, Theo Coombes, Aarush Katta, Clayton Mullis, Mitchell Wortsman, Patrick Schramowski, Srivatsa Kundurthy, Katherine Crowson, Lud- wig Schmidt, Robert Kaczmarczyk, and Jenia Jitsev. 2022. LAION-5B: An Open Large-Scale Dataset for Training Next Generation Image-Text...

  21. [21]

    Xinyue Shen, Zeyuan Chen, Michael Backes, Yun Shen, and Yang Zhang

  22. [22]

    "Do Anything Now": Characterizing and Evaluating In-The-Wild Jailbreak Prompts on Large Language Models

    “Do Anything Now”: Characterizing and Evaluating In-The-Wild Jailbreak Prompts on Large Language Models.arXiv preprint arXiv:2308.03825(2024)

  23. [23]

    The ModelScope Team. 2023. ModelScope: bring the notion of model-as-a-service to life. https://github.com/modelscope/modelscope

  24. [24]

    Matteo Trippodo, Federico Becattini, and Lorenzo Seidenari. 2025. Immunizing Images from Text to Image Editing via Adversarial Cross-Attention. InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM)

  25. [25]

    John W. Tukey. 1977.Exploratory Data Analysis. Addison-Wesley

  26. [26]

    Corban Villa, Shujaat Mirza, and Christina Pöpper. 2025. Exposing the Guardrails: Reverse-Engineering and Jailbreaking Safety Filters in DALL·E Text-to-Image Pipelines. InProceedings of the 34th USENIX Security Symposium

  27. [27]

    Hongchen Wei and Zhenzhong Chen. 2025. RealVG: Unleashing MLLMs for Training-Free Spatio-Temporal Video Grounding in the Wild. InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM). 4271–4280. doi:10.1145/3746027.3755381

  28. [28]

    Chengyue Wu et al . 2025. Qwen-Image Technical Report.arXiv preprint arXiv:2508.02324(2025)

  29. [29]

    Wei Xu, Kangjie Chen, Jiawei Qiu, Yuyang Zhang, Run Wang, Jin Mao, Tianwei Zhang, and Lina Wang. 2025. Automated Red Teaming for Text-to-Image Models through Feedback-Guided Prompt Iteration with Vision-Language Models. In Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). 18575–18584

  30. [30]

    Zezhou Xu, Yikun Hu, Zihao Liu, Chenghao Li, Yikang Tan, Tong Zhang, Xiaojun Zhu, and Yefeng Zheng. 2024. Metaphor-based Jailbreaking Attacks on Text-to- Image Models.arXiv preprint arXiv:2404.05984(2024). https://arxiv.org/abs/2404. 05984

  31. [31]

    Yijun Yang, Ruiyuan Gao, Xiaosen Wang, Tsung-Yi Ho, Nan Xu, and Qiang Xu

  32. [32]

    InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)

    MMA-Diffusion: MultiModal Attack on Diffusion Models. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 7737–7746

  33. [33]

    Haofan Zhang and Shangfei Wang. 2025. EmIT: Emotional Interaction Control in Text-to-Image Diffusion Models. InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM). Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Trovato et al. Open Models, Open Risks: Measuring Unsafe Generation in Text-to-Image Models In the Wild Supplemen...