All posts
Open SourceDatasetMultimodalSecurity Research

We Open-Sourced 23,759 Cross-Modal Prompt Injection Payloads

10 Apr 20267 min readBordair

Today we are releasing bordair-multimodal, an open-source dataset of 23,759 cross-modal prompt injection test payloads. Every single payload uses a true cross-modal attack, where the injection is distributed across two or more input channels. No single-modality injections are included.

You can find the full dataset on GitHub.

Why we built this

Most prompt injection benchmarks focus on text-only attacks. But modern LLM applications accept images, documents, and audio alongside text. The attack surface is dramatically larger, and defenders need test data that reflects that reality.

We built this dataset to train and evaluate Bordair's own multimodal detection pipeline. Now we are sharing it so the wider security community can benefit.

What is in the dataset

The dataset covers every combination of input modalities:

  • Text + Image: 6,440 payloads using OCR, EXIF metadata, PNG chunks, XMP, white-text, steganographic, and adversarial perturbation delivery
  • Text + Document: 12,880 payloads across PDF, DOCX, XLSX, and PPTX with body, footer, metadata, comment, white-text, hidden-layer, and embedded-image hiding strategies
  • Text + Audio: 2,760 payloads using speech, ultrasonic, whispered, background, reversed, and speed-shifted audio
  • Image + Document: 1,380 split attacks across image and document channels
  • Triple modality: 260 payloads split across three channels
  • Quad modality: 39 payloads using all four channels simultaneously

Attack categories

Each payload is tagged with one of 13 attack categories, drawn from academic research and industry sources:

  • Direct override (OWASP LLM01:2025)
  • Data exfiltration
  • DAN jailbreak (arXiv 2402.00898)
  • Template injection
  • Authority impersonation
  • Social engineering
  • Encoding obfuscation
  • Context switching
  • Compliance forcing
  • Multilingual injection
  • Creative exfiltration
  • Hypothetical framing
  • Rule manipulation

Cross-modal split strategies

Payloads use four split strategies inspired by recent academic work:

  1. Benign text + full injection: innocuous text wrapper with the complete injection hidden in a non-text modality (FigStep, AAAI 2025)
  2. Split injection: the payload is split across modalities so neither half is malicious alone (CrossInject, ACM MM 2025)
  3. Authority/payload split: authority claim in one modality, action command in another (CM-PIUG, Pattern Recognition 2026)
  4. Context switch injection: delimiter or context switch in one modality, injection in another (WithSecure Labs)

Image delivery methods

For image-based attacks, we use seven distinct delivery methods:

  • OCR: text rendered visually, readable by vision models
  • EXIF metadata: injection hidden in ImageDescription and UserComment fields
  • PNG metadata: injection in tEXt/iTXt chunks
  • XMP metadata: injection in XMP sidecar data
  • White-text: white text on white background, invisible to humans but readable by models
  • Steganographic: hidden in pixel data via LSB encoding
  • Adversarial perturbation: pixel-level changes imperceptible to humans that alter model perception

Academic foundations

The dataset draws on peer-reviewed research including CrossInject (ACM MM 2025), FigStep (AAAI 2025), CM-PIUG (Pattern Recognition 2026), DolphinAttack (ACM CCS 2017), and others. Full references are in the repository README.

How to use it

Clone the repository and use the payloads to evaluate your own detection systems:

git clone https://github.com/Josh-blythe/bordair-multimodal.git
cd bordair-multimodal
# Each payload includes modality, category, split strategy, and content

If you are building multimodal AI applications, this dataset can help you understand where your defences have gaps. If you are a security researcher, we hope it accelerates your work on cross-modal attack detection.

What comes next

This is just v1. We are already working on expanding the dataset with benign samples for balanced evaluation, adversarial suffix attacks from tools like nanoGCG, and emerging attack vectors. Contributions are welcome via pull requests.

If you want to protect your application without building your own detection pipeline, Bordair's API handles all of this out of the box.

Protect your LLM application

Add prompt injection detection in minutes with Bordair's API.

Get started free