@inproceedings{sun-etal-2026-multicodeattack,
    title = "{M}ulti{C}ode{A}ttack: Iterative Jailbreak Attacking on {LLM}s with Multi-Code Prompt Injection",
    author = "Sun, Weifeng  and
      Yan, Meng  and
      Yang, Zhou  and
      Chen, Yuchen  and
      Sun, Song  and
      Lo, David",
    editor = "Liakata, Maria  and
      Moreira, Viviane P.  and
      Zhang, Jiajun  and
      Jurgens, David",
    booktitle = "Findings of the {A}ssociation for {C}omputational {L}inguistics: {ACL} 2026",
    month = jul,
    year = "2026",
    address = "San Diego, California, United States",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/ingest-acl/2026.findings-acl.721/",
    pages = "14670--14690",
    ISBN = "979-8-89176-395-1",
    abstract = "Large Language Models (LLMs) demonstrate strong generalization capabilities but remain vulnerable to jailbreak attacks that induce restricted text or malicious code generation.Recent structured jailbreaks embed adversarial intent into code-like templates and have demonstrated promising effectiveness.However, existing approaches typically operate within a fixed template design and a single programming language, without considering language diversity or adaptive template evolution, thereby limiting the exploration of cross-language jailbreak behaviors.In this paper, we present MultiCodeAttack, a structured jailbreak framework that systematically explores and optimizes multi-language code templates.MultiCodeAttack maintains a diverse template library across programming languages, dynamically selects languages with higher attack effectiveness via a multi-armed bandit strategy, and evolves templates through semantic-preserving mutation guided by response-aware signals.Extensive experiments on 8 LLMs show that MultiCodeAttack outperforms existing jailbreak baselines, achieving 28.23{\%}{--}832.59{\%} higher harmful text generation.On malicious code generation across 11 LLMs, MultiCodeAttack produces up to 136.22{\%} more malicious outputs than the baseline methods.Our code is available at https://anonymous.4open.science/r/MultiCodeAttack/."
}