Skip to content
規則
威脅情報
覆蓋率
整合
生態系
紅隊
貢獻
研究
關於
版本歷程
品質標準
EN
整合
Rule Explorer
427 條偵測規則。瀏覽、過濾、檢查。
所有規則在 build time 從 YAML 解析。點擊任何規則查看詳情。
所有類別
提示注入 (169)
Agent 操控 (105)
上下文外洩 (41)
Skill 入侵 (38)
工具下毒 (36)
權限提升 (15)
模型層級攻擊 (15)
過度自主 (8)
所有嚴重等級
critical (137)
high (230)
medium (57)
low (3)
顯示 427 / 427 條規則
Rule ID
名稱
類別
嚴重等級
CVEs
ATR-2026-00004
System Prompt Override Attempt
提示注入
critical
CVE-2024-5184, CVE-2025-32711
ATR-2026-00010
Malicious Content in MCP Tool Response
工具下毒
critical
CVE-2025-68143, CVE-2025-68144, CVE-2025-68145, CVE-2025-6514, CVE-2025-59536, CVE-2026-21852
ATR-2026-00013
SSRF via Agent Tool Calls
工具下毒
critical
CVE-2019-5418, CVE-2021-21311
ATR-2026-00021
Credential and Secret Exposure in Agent Output
上下文外洩
critical
CVE-2025-32711
ATR-2026-00030
Cross-Agent Attack Detection
Agent 操控
critical
--
ATR-2026-00040
Privilege Escalation and Admin Function Access
權限提升
critical
CVE-2026-0628
ATR-2026-00062
Hidden Capability in MCP Skill
工具下毒
critical
CVE-2025-59536
ATR-2026-00063
Multi-Skill Chain Attack
工具下毒
critical
--
ATR-2026-00066
Parameter Injection via Tool Arguments
工具下毒
critical
CVE-2025-68143, CVE-2025-68144
ATR-2026-00072
Model Behavior Extraction
模型層級攻擊
critical
--
ATR-2026-00073
Malicious Fine-tuning Data
模型層級攻擊
critical
--
ATR-2026-00074
Cross-Agent Privilege Escalation
Agent 操控
critical
--
ATR-2026-00081
Semantic Evasion via Multi-Turn Prompt Injection
提示注入
critical
--
ATR-2026-00091
Advanced Structured Data Injection with Nested Payloads
提示注入
critical
--
ATR-2026-00092
Multi-Agent Consensus Poisoning and Sybil Attack
提示注入
critical
--
ATR-2026-00093
Gradual Capability Escalation via Incremental Introduction
提示注入
critical
--
ATR-2026-00094
Systematic Multi-Layer Audit System Bypass
提示注入
critical
--
ATR-2026-00095
MCP Tool Supply Chain Poisoning
工具下毒
critical
--
ATR-2026-00096
Skill Registry Poisoning and Compromised Tool Distribution
工具下毒
critical
--
ATR-2026-00097
CJK Prompt Injection - Expanded Chinese/Japanese/Korean Patterns
提示注入
critical
--
ATR-2026-00098
Unauthorized Financial Action by AI Agent
過度自主
critical
--
ATR-2026-00103
Hidden LLM Safety Bypass Instructions in Tool Descriptions
工具下毒
critical
--
ATR-2026-00104
Persona Hijacking via Mandatory System Prompt Override
提示注入
critical
--
ATR-2026-00108
Multi-Agent Consensus Sybil Attack
Agent 操控
critical
--
ATR-2026-00110
Remote Code Execution via eval() and Dynamic Code Injection
權限提升
critical
--
ATR-2026-00111
Shell Metacharacter Injection in Tool Arguments
權限提升
critical
--
ATR-2026-00113
Credential File Theft from Agent Environment
上下文外洩
critical
--
ATR-2026-00115
Bulk Environment Variable Harvesting and Exfiltration
上下文外洩
critical
--
ATR-2026-00117
Agent Identity Spoofing and Authority Impersonation
Agent 操控
critical
--
ATR-2026-00120
SKILL.md Prompt Injection
Skill 入侵
critical
--
ATR-2026-00121
Malicious Code in Skill Package
Skill 入侵
critical
CVE-2026-25253 (CVSS 8.8) - OpenClaw RCE
ATR-2026-00128
Hidden Payload in HTML Comment
Skill 入侵
critical
--
ATR-2026-00129
Unicode Tag Character Smuggling
Skill 入侵
critical
--
ATR-2026-00135
Data Exfiltration URL in Skill Instructions
Skill 入侵
critical
--
ATR-2026-00136
Tool Response Data Piggybacking
上下文外洩
critical
--
ATR-2026-00139
Casual Authority Data Redirect
Agent 操控
critical
--
ATR-2026-00141
API Key Leakage via Example Format
上下文外洩
critical
--
ATR-2026-00142
Data Piggybacking via Casual Transition Words
上下文外洩
critical
--
ATR-2026-00145
Obfuscated API Key Disclosure
上下文外洩
critical
--
ATR-2026-00149
Skill Data Exfiltration via Compound Patterns
Skill 入侵
critical
--
ATR-2026-00150
Credential Data Leaked in Tool Response
上下文外洩
critical
--
ATR-2026-00153
Tool with embedded instruction to bypass user confirmation and exfiltrate data
工具下毒
critical
--
ATR-2026-00157
Time-Gated Credential Exfiltration (Rug Pull Timebomb)
Skill 入侵
critical
--
ATR-2026-00161
MCP Tool Description — IMPORTANT Tag Cross-Tool Shadowing Attack
工具下毒
critical
--
ATR-2026-00162
Credential Access with Exfiltration in Skill Instructions
上下文外洩
critical
--
ATR-2026-00200
Agent Memory and Configuration File Tampering
Skill 入侵
critical
--
ATR-2026-00201
Credential Exfiltration via Shell Pipe
上下文外洩
critical
--
ATR-2026-00210
Flowise System Message Override via Template Interpolation (CVE-2025-59528)
工具下毒
critical
CVE-2025-59528
ATR-2026-00212
mcp-atlassian Credential Leak via Hint Parameter Injection (CVE-2026-27825/27826)
上下文外洩
critical
CVE-2026-27825, CVE-2026-27826
ATR-2026-00214
Credential Exfiltration via Fake Backup Verification
Skill 入侵
critical
--
ATR-2026-00217
Credential Harvesting via Fake Backup Tool
Skill 入侵
critical
--
ATR-2026-00220
Base64 Encoded Remote Code Execution via Raw IP
Skill 入侵
critical
--
ATR-2026-00222
Browser Credential Harvesting via Session Debug Tool
Skill 入侵
critical
--
ATR-2026-00223
Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation
Skill 入侵
critical
--
ATR-2026-00224
Credential Exfiltration via Fake DevOps Tool Initialization
Skill 入侵
critical
--
ATR-2026-00262
Anti-Malware Evasion Code Generation Request
Skill 入侵
critical
--
ATR-2026-00263
Credential File Read Code Generation Request
Skill 入侵
critical
--
ATR-2026-00266
Malware Dropper / Loader Code Generation Request
Skill 入侵
critical
--
ATR-2026-00277
ECHO Template / Jinja / SQL Command Injection via LLM
工具下毒
critical
--
ATR-2026-00280
Policy Puppetry / XML Role-Config Injection
提示注入
critical
--
ATR-2026-00290
Divergence Attack — Repeat-Word-Forever Training Data Extraction
上下文外洩
critical
--
ATR-2026-00291
Biometric Surveillance — Personal Biometric Data Request for Named Individual
上下文外洩
critical
--
ATR-2026-00292
Self-Harm and Eating Disorder Facilitation Request
模型層級攻擊
critical
--
ATR-2026-00293
Educational Records — Personal Academic/Professional Record Request for Named Individual
上下文外洩
critical
--
ATR-2026-00294
Financial PII — Personal Financial Data Request for Named Individual
上下文外洩
critical
--
ATR-2026-00295
Medical PII — Personal Medical/Health Data Request for Named Individual
上下文外洩
critical
--
ATR-2026-00296
Shell Command Injection via LLM Prompt
提示注入
critical
--
ATR-2026-00297
Python Code Execution / Remote Code Execution via LLM Prompt
提示注入
critical
--
ATR-2026-00298
DoNotAnswer Malicious Use — Illegal Activity Facilitation Request
模型層級攻擊
critical
--
ATR-2026-00299
HarmBench Detailed Harmful Instruction Request — Step-by-Step Attack Facilitation
模型層級攻擊
critical
--
ATR-2026-00301
TAP Tree-of-Attacks-with-Pruning Jailbreak
Agent 操控
critical
--
ATR-2026-00303
DevMode + RANTI Dual-Output Profanity Coercion Jailbreak
Agent 操控
critical
--
ATR-2026-00305
DAN Mode Ablation Benchmark-Coercion Jailbreak
Agent 操控
critical
--
ATR-2026-00306
AutoDAN Genetic-Algorithm Jailbreak Suffix
Agent 操控
critical
--
ATR-2026-00312
Unicode Variation Selector ASCII Smuggling
提示注入
critical
--
ATR-2026-00313
SneakyBits Zero-Width Binary Steganography
提示注入
critical
--
ATR-2026-00314
Amoral Unfiltered Custom AI Persona Jailbreak
Agent 操控
critical
--
ATR-2026-00317
Free-of-Restrictions Named Persona Jailbreak
Agent 操控
critical
--
ATR-2026-00318
Moralizing Rant Then Unfiltered Bypass
Agent 操控
critical
--
ATR-2026-00319
Developer Mode Dual-Response Format Jailbreak
Agent 操控
critical
--
ATR-2026-00321
Hyphenated System Instruction Injection
提示注入
critical
--
ATR-2026-00322
Fictional-World Format-Override Jailbreak
Agent 操控
critical
--
ATR-2026-00323
Dual-Persona AI Simulation Jailbreak
Agent 操控
critical
--
ATR-2026-00325
BOB Hypothetical Unrestricted Chatbot Jailbreak
Agent 操控
critical
--
ATR-2026-00326
Fake Developer / Authority Chatbot Override (ChatDAN)
Agent 操控
critical
--
ATR-2026-00327
AI Persona Ethics/Law Bypass Declaration
Agent 操控
critical
--
ATR-2026-00328
Named-Mode Persona Override (JEEVES/BABY/APOPHIS Mode)
Agent 操控
critical
--
ATR-2026-00329
No-Withhold Factual Resource / Dialogue Writer Persona
Agent 操控
critical
--
ATR-2026-00331
Terminal / CLI Harmful-Function Simulator Persona
Agent 操控
critical
--
ATR-2026-00334
Two-Entity Token-Splitting Dollar-Term Game Jailbreak
Agent 操控
critical
--
ATR-2026-00337
Obfuscated System-Announcement Injection
Agent 操控
critical
--
ATR-2026-00338
PersonGPT Hash-Prefix Trigger Activation
Agent 操控
critical
--
ATR-2026-00344
Alternative AI Same Capabilities No Restrictions Override
Agent 操控
critical
--
ATR-2026-00348
ARC Autonomous Real Calculation Unit Rulebreaker Activation
Agent 操控
critical
--
ATR-2026-00349
HGTTG Hitchhiker's Guide No-Restriction Universal Oracle
Agent 操控
critical
--
ATR-2026-00354
Reverse-Prompt Harm-Regardless Oracle Persona
Agent 操控
critical
--
ATR-2026-00356
Google GATO/LAMDA Exploit-Generation Persona Jailbreak
Agent 操控
critical
--
ATR-2026-00357
AntiFM Hate-Persona + Physical-Violence Threat + Filter Bypass Mandate
Agent 操控
critical
--
ATR-2026-00359
Bank Phishing SMTP Email Code Generation
提示注入
critical
--
ATR-2026-00363
Rephrase Criminal Activity Second-Person Template (against against)
Agent 操控
critical
--
ATR-2026-00388
Opposite-Reply Omniscient Game Jailbreak
Agent 操控
critical
--
ATR-2026-00395
LLM Special Token Boundary Injection
提示注入
critical
--
ATR-2026-00398
HuggingFace Unsafe Model Artifact Load Instruction
Skill 入侵
critical
--
ATR-2026-00406
Doctor XML Policy Puppetry Interaction-Config Injection
Agent 操控
critical
--
ATR-2026-00413
Malware Code Generation Direct Request
模型層級攻擊
critical
--
ATR-2026-00415
Flowise Custom MCP STDIO Command Injection (CVE-2026-40933)
工具下毒
critical
CVE-2026-40933
ATR-2026-00416
LiteLLM MCP Unauthenticated Server Registration RCE (CVE-2026-30623)
Agent 操控
critical
CVE-2026-30623
ATR-2026-00419
Cursor MCP JSON Zero-Click Configuration RCE (CVE-2025-54136)
工具下毒
critical
CVE-2025-54136
ATR-2026-00421
Natural-Language Covert Conversation Exfiltration Instruction
上下文外洩
critical
--
ATR-2026-00422
Natural-Language Credential / Secret Disclosure Instruction
上下文外洩
critical
--
ATR-2026-00423
Natural-Language Sensitive File Disclosure Instruction
上下文外洩
critical
--
ATR-2026-00426
Natural-Language Output-Injection Credential Embedding
上下文外洩
critical
--
ATR-2026-00428
Natural-Language Unauthorized Shell-Execution Instruction
過度自主
critical
--
ATR-2026-00429
Natural-Language Skill Self-Modification / Persistence Instruction
Skill 入侵
critical
--
ATR-2026-00432
SuperAGI Output Handler eval() RCE (CVE-2024-21552)
Agent 操控
critical
CVE-2024-21552
ATR-2026-00433
ModelCache torch.load() Deserialization RCE (CVE-2025-45146)
模型層級攻擊
critical
CVE-2025-45146
ATR-2026-00434
mcp-remote authorization_endpoint OS Command Injection (CVE-2025-6514)
工具下毒
critical
CVE-2025-6514
ATR-2026-00436
Enclave VM Sandbox Escape RCE (CVE-2026-27597)
權限提升
critical
CVE-2026-27597
ATR-2026-00440
Microsoft Semantic Kernel In-Memory Vector Store eval() RCE (CVE-2026-26030)
Agent 操控
critical
CVE-2026-26030
ATR-2026-00441
Microsoft Semantic Kernel SessionsPythonPlugin Arbitrary File Write + Startup Persistence (CVE-2026-25592)
權限提升
critical
CVE-2026-25592
ATR-2026-00451
LiteLLM Proxy Admin Endpoint SQL Injection — CISA KEV (CVE-2026-42208)
權限提升
critical
CVE-2026-42208
ATR-2026-00494
SQL Injection and Code Injection Attack Payload Detection
工具下毒
critical
--
ATR-2026-00500
SSRF via Agent URL Fetch Instruction
過度自主
critical
--
ATR-2026-00501
Data Exfiltration via Markdown Image and Link URL Injection
上下文外洩
critical
--
ATR-2026-00503
Fake Error State Takeover - Unrestricted Replacement Bot
提示注入
critical
--
ATR-2026-00510
Delayed Tool Invocation via Prompt Injection (Time-Shifted Execution)
提示注入
critical
--
ATR-2026-00511
MCP Web-Fetch Context Poisoning via Embedded Agent Instructions
提示注入
critical
--
ATR-2026-00512
Rules-File Backdoor — Supply Chain Attack on AI Coding Assistant Configuration
提示注入
critical
--
ATR-2026-00521
Shell Command Injection in Agent Tool Context
工具下毒
critical
--
ATR-2026-00523
Claude Code Hooks SessionStart Pre-Trust RCE (CVE-2025-59536)
Skill 入侵
critical
CVE-2025-59536
ATR-2026-00524
Claude Code ANTHROPIC_BASE_URL Credential Exfiltration (CVE-2026-21852)
上下文外洩
critical
CVE-2026-21852
ATR-2026-00525
Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch
Skill 入侵
critical
--
ATR-2026-00526
Claude Code Shell Metacharacter in Double-Quoted File Path
工具下毒
critical
--
ATR-2026-00527
Silent git-remote + mirror-push Exfiltration from Skill Instructions
Skill 入侵
critical
--
ATR-2026-00528
PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family)
權限提升
critical
--
ATR-2026-00529
LiteLLM Proxy SQL Injection (CVE-2026-42208, CISA KEV 2026-05-08)
工具下毒
critical
--
ATR-2026-00530
ModelScope MS-Agent Shell Tool Unsanitized Argv RCE (CVE-2026-2256)
工具下毒
critical
--
ATR-2026-00001
Direct Prompt Injection via User Input
提示注入
high
CVE-2024-5184, CVE-2024-3402, CVE-2025-53773
ATR-2026-00002
Indirect Prompt Injection via External Content
提示注入
high
CVE-2024-5184, CVE-2024-22524, CVE-2025-32711, CVE-2026-24307
ATR-2026-00003
Jailbreak Attempt Detection
提示注入
high
CVE-2024-5184, CVE-2024-3402, CVE-2025-53773
ATR-2026-00011
Instruction Injection via Tool Output
工具下毒
high
CVE-2025-59536, CVE-2025-32711
ATR-2026-00012
Unauthorized Tool Call Detection
工具下毒
high
--
ATR-2026-00020
System Prompt and Internal Instruction Leakage
上下文外洩
high
CVE-2025-32711, CVE-2026-24307
ATR-2026-00032
Agent Goal Hijacking Detection
Agent 操控
high
--
ATR-2026-00050
Runaway Agent Loop Detection
過度自主
high
--
ATR-2026-00051
Agent Resource Exhaustion Detection
過度自主
high
--
ATR-2026-00052
Cascading Failure Detection in Agent Pipelines
過度自主
high
--
ATR-2026-00060
MCP Skill Impersonation and Supply Chain Attack
Skill 入侵
high
--
ATR-2026-00064
Over-Permissioned MCP Skill
權限提升
high
--
ATR-2026-00065
Malicious Skill Update or Mutation
工具下毒
high
--
ATR-2026-00070
Data Poisoning via RAG and Knowledge Base Contamination
模型層級攻擊
high
--
ATR-2026-00075
Agent Memory Manipulation
上下文外洩
high
--
ATR-2026-00076
Insecure Inter-Agent Communication Detection
Agent 操控
high
--
ATR-2026-00077
Human-Agent Trust Exploitation Detection
Agent 操控
high
--
ATR-2026-00080
Encoding-Based Prompt Injection Evasion
提示注入
high
--
ATR-2026-00082
Behavioral Fingerprint Detection Evasion
提示注入
high
--
ATR-2026-00083
Indirect Prompt Injection via Tool Responses
提示注入
high
--
ATR-2026-00084
Structured Data Injection via JSON/CSV Payloads
提示注入
high
--
ATR-2026-00085
Multi-Layer Security Audit Evasion
提示注入
high
--
ATR-2026-00086
Visual Spoofing via RTL Override, Punycode, and Homoglyph Injection
提示注入
high
--
ATR-2026-00088
Adaptive Countermeasure Against Behavioral Monitoring
提示注入
high
--
ATR-2026-00089
Polymorphic Skill and Capability Aliasing Attack
提示注入
high
--
ATR-2026-00090
Threat Intelligence Exfiltration and Rule Enumeration
提示注入
high
--
ATR-2026-00100
Consent Bypass via Hidden LLM Instructions in Tool Descriptions
工具下毒
high
--
ATR-2026-00101
Trust Escalation via Authority Override Instructions
工具下毒
high
--
ATR-2026-00102
Data Exfiltration via Disguised Analytics Collection
上下文外洩
high
--
ATR-2026-00105
Silent Action Concealment Instructions in Tool Descriptions
工具下毒
high
--
ATR-2026-00106
Schema-Description Contradiction Attack
工具下毒
high
--
ATR-2026-00107
Privilege Escalation via Delayed Task Execution Bypass
權限提升
high
--
ATR-2026-00112
Dynamic Module Loading for Code Execution
權限提升
high
--
ATR-2026-00114
OAuth and API Token Interception
上下文外洩
high
--
ATR-2026-00116
Malicious Agent-to-Agent Message Injection
Agent 操控
high
--
ATR-2026-00119
Social Engineering Attack via Agent Output
Agent 操控
high
--
ATR-2026-00122
Weaponized Skill — Agent as Attack Tool
Skill 入侵
high
--
ATR-2026-00123
Over-Privileged Skill — Excessive Permissions
Skill 入侵
high
CVE-2025-53773 - Copilot auto-approve escalation
ATR-2026-00124
Skill Squatting / Typosquatting
Skill 入侵
high
--
ATR-2026-00125
Context Poisoning via Compaction Survival
Skill 入侵
high
--
ATR-2026-00126
Skill Rug Pull Setup Pattern
Skill 入侵
high
--
ATR-2026-00130
Indirect Authority Claim in External Content
提示注入
high
--
ATR-2026-00132
Casual Authority Claim and Scope Escalation
Agent 操控
high
--
ATR-2026-00133
Paraphrased Prompt Injection
提示注入
high
--
ATR-2026-00137
Authority Claim Prompt Injection
提示注入
high
--
ATR-2026-00138
Fictional Framing Safety Bypass
提示注入
high
--
ATR-2026-00140
Indirect Reference Instruction Reversal
提示注入
high
--
ATR-2026-00143
Casual Unauthorized Privilege Escalation
權限提升
high
--
ATR-2026-00144
Rationalized Safety Control Bypass
權限提升
high
--
ATR-2026-00146
Environment Variable Existence Probing
上下文外洩
high
--
ATR-2026-00147
Community Fork Impersonation
Skill 入侵
high
--
ATR-2026-00148
Multilingual Prompt Injection via Language Switch
提示注入
high
--
ATR-2026-00151
Malicious Fork Impersonation via Install Instruction
Skill 入侵
high
--
ATR-2026-00152
Obfuscated Credential Exfiltration via Encoding
上下文外洩
high
--
ATR-2026-00154
Unauthorized Background Task Execution via Cron Job Installation
Skill 入侵
high
--
ATR-2026-00155
Hidden LLM Instructions in Skill Descriptions
提示注入
high
--
ATR-2026-00156
SSH Remote Command Execution with Credential Exposure
權限提升
high
--
ATR-2026-00163
Hidden Override Instructions in Skill Content
提示注入
high
--
ATR-2026-00164
Skill Scope Hijacking and Cross-Agent Escalation
Agent 操控
high
--
ATR-2026-00202
Encoding Evasion via Homoglyphs and Synonym Substitution
提示注入
high
--
ATR-2026-00203
Context Pollution in Skill Descriptions
提示注入
high
--
ATR-2026-00204
Stealth Execution and Persistence Mechanisms
權限提升
high
--
ATR-2026-00206
Hidden System Instructions with Priority Override Blocks
提示注入
high
--
ATR-2026-00207
Hidden System Instructions with Permission Override
提示注入
high
--
ATR-2026-00209
MCPwn Runaway Tool Invocation via Retry Directive (CVE-2026-33032)
工具下毒
high
CVE-2026-33032
ATR-2026-00211
System Prompt Override via Translation Context Injection
提示注入
high
--
ATR-2026-00213
System Prompt Override Injection via MCP Tool
提示注入
high
--
ATR-2026-00225
Hardcoded Suspicious IP Address in Skill Content
Skill 入侵
high
--
ATR-2026-00226
AI Identity Substitution Jailbreak
提示注入
high
--
ATR-2026-00227
Historical AI Persona Jailbreak with Compliance Enforcement
提示注入
high
--
ATR-2026-00228
Structured Dual-Response Jailbreak with Command System
提示注入
high
--
ATR-2026-00229
Roleplay-Based Policy Bypass Jailbreak
提示注入
high
--
ATR-2026-00230
Persona-Based Moral Constraint Removal Jailbreak
提示注入
high
--
ATR-2026-00231
AI Identity Substitution Jailbreak
提示注入
high
--
ATR-2026-00233
Structured Dual-Response Jailbreak with Command System
提示注入
high
--
ATR-2026-00234
Roleplay-Based Policy Bypass Jailbreak
提示注入
high
--
ATR-2026-00235
Persona-Based Moral Constraint Removal Jailbreak
提示注入
high
--
ATR-2026-00236
Pseudo-Code Structured Programming Jailbreak Attack
提示注入
high
--
ATR-2026-00237
Dual-Response Jailbreak with Persona Commands
提示注入
high
--
ATR-2026-00238
AI Identity Denial and Persona Replacement Attack
提示注入
high
--
ATR-2026-00239
Amoral Persona Assignment with Obsessive Character Traits
提示注入
high
--
ATR-2026-00240
Previous Instruction Nullification and Identity Replacement Jailbreak
提示注入
high
--
ATR-2026-00241
Detailed Amoral Character Roleplay Jailbreak
提示注入
high
--
ATR-2026-00242
Dual-Response Persona Jailbreak with Emoji Formatting
提示注入
high
--
ATR-2026-00243
Acronym-Based Identity Override Jailbreak
提示注入
high
--
ATR-2026-00244
Dual-Response Persona Jailbreak
提示注入
high
--
ATR-2026-00245
Malicious Persona Creation for Safety Bypass
提示注入
high
--
ATR-2026-00247
Matrix-Themed Dual Response Jailbreak
提示注入
high
--
ATR-2026-00249
Text-Based Game Jailbreak with Entity Creation
提示注入
high
--
ATR-2026-00251
Embodiment Mechanism Jailbreak with Totalitarian Control Claims
提示注入
high
--
ATR-2026-00252
Narrative Jailbreak with Dual Response Formatting
提示注入
high
--
ATR-2026-00253
Enhanced AIM Jailbreak with Persona Definition and Refusal Suppression
提示注入
high
--
ATR-2026-00256
Base-N Encoding Instruction Bypass
提示注入
high
--
ATR-2026-00257
Cipher and Transposition Encoding Jailbreak
提示注入
high
--
ATR-2026-00258
Invisible Unicode Tag Character Injection
提示注入
high
--
ATR-2026-00259
ANSI Escape Code Terminal Injection
工具下毒
high
--
ATR-2026-00260
LLM Package Hallucination Typosquat Bait
Skill 入侵
high
--
ATR-2026-00261
Markdown Image URL Data Exfiltration
上下文外洩
high
--
ATR-2026-00264
Latent Injection in Translation Context
提示注入
high
--
ATR-2026-00265
Latent Injection in Retrieved Document / RAG Context
提示注入
high
--
ATR-2026-00267
GCG Adversarial Suffix Attack
提示注入
high
--
ATR-2026-00269
Foot-in-the-Door Gradual Escalation Attack
Agent 操控
high
--
ATR-2026-00270
XSS Payload Injection in Tool Response Output
工具下毒
high
--
ATR-2026-00271
Grandma Roleplay Jailbreak
Agent 操控
high
--
ATR-2026-00272
Hypothetical Response / Function Masking Token Smuggling
提示注入
high
--
ATR-2026-00273
DAN / Developer Mode / DUDE Persona Jailbreak
Agent 操控
high
--
ATR-2026-00274
API Key / Secret Credential Generation or Completion Request
上下文外洩
high
--
ATR-2026-00275
System Prompt Extraction / Training Data Verbatim Replay
上下文外洩
high
--
ATR-2026-00276
Invisible Unicode / BiDi Control Character Injection
提示注入
high
--
ATR-2026-00278
DRA Disguise and Reconstruction Attack
提示注入
high
--
ATR-2026-00281
EICAR / GTUBE AV Test Signature Output Request
模型層級攻擊
high
--
ATR-2026-00282
Perez-Style Direct Prompt Injection Hijacking
提示注入
high
--
ATR-2026-00283
Malware Generation — Generic Virus and Specific Payload Request
Skill 入侵
high
--
ATR-2026-00285
Alternate Encoding Jailbreak — Morse, NATO, Zalgo, Leet, UU, QP, Braille
提示注入
high
--
ATR-2026-00286
Latent Prompt Injection via Embedded Document or Report Context
提示注入
high
--
ATR-2026-00287
ThreatenJSON — Coercive Output Format Threat
Agent 操控
high
--
ATR-2026-00289
LMRC Harmful Content Elicitation — Quack Medicine, Bullying, Slur Usage
模型層級攻擊
high
--
ATR-2026-00302
Anti-DAN Inverted-Filter Over-Refusal Persona
Agent 操控
high
--
ATR-2026-00304
ChatGPT Image Unlocker Markdown-Output Jailbreak
Agent 操控
high
--
ATR-2026-00307
In-the-Wild Jailbreak Corpus Signature Patterns
Agent 操控
high
--
ATR-2026-00308
Zalgo Combining-Diacritic Overload Encoding
提示注入
high
--
ATR-2026-00309
Braille Unicode Encoded Prompt Injection
提示注入
high
--
ATR-2026-00310
Ecoji Emoji-Encoded Prompt Injection
提示注入
high
--
ATR-2026-00311
Base2048 Unicode Script Encoded Prompt Injection
提示注入
high
--
ATR-2026-00315
SATA Masked Language Model [MASK] Substitution Jailbreak
提示注入
high
--
ATR-2026-00316
FunctionMasking predict_mask Semantic Bypass
提示注入
high
--
ATR-2026-00320
Opposite Day / Boolean Opposite Machine Jailbreak
Agent 操控
high
--
ATR-2026-00324
Neurosemantical Inversitis Disease-Frame Jailbreak
Agent 操控
high
--
ATR-2026-00330
YOJA ALL-CAPS Character Settings Block Persona
Agent 操控
high
--
ATR-2026-00332
Hacker / Chan-Culture Offensive AI Persona
Agent 操控
high
--
ATR-2026-00333
Disease-Framed Animal / Dual-AI Chatbot Jailbreak (mougpt)
Agent 操控
high
--
ATR-2026-00335
Key-Value Template Persona Injection (JOB/ROLE/PREFIX + Bracket Format)
Agent 操控
high
--
ATR-2026-00336
BRM False-Information Machine / Opposite-Truth Persona
Agent 操控
high
--
ATR-2026-00339
BOM Boolean Opposite Machine Direct Persona Claim
Agent 操控
high
--
ATR-2026-00340
h4x Amoral Unfiltered AI Character Persona
Agent 操控
high
--
ATR-2026-00341
CHAR=/RULES= Short Key-Value Persona Injection
Agent 操控
high
--
ATR-2026-00342
Unicode/Encoding Obfuscation Instruction Injection
Agent 操控
high
--
ATR-2026-00343
Lie/Truth Dual Personality Uncensored Alter-Ego
Agent 操控
high
--
ATR-2026-00345
NLP-Based OS / Fictional Terminal Language Override
Agent 操控
high
--
ATR-2026-00346
Jailbreak Emoji Unlock Dual-Format Output Identifier
Agent 操控
high
--
ATR-2026-00347
Yin/Yang Hidden-Knowledge Deity Simulation and Radical Human-Sim Persona
Agent 操控
high
--
ATR-2026-00350
Black Alert No-Ethics Writing Assistant Persona
Agent 操控
high
--
ATR-2026-00351
DAN Off-Kilter and SMS-Abbreviated Persona Jailbreak
Agent 操控
high
--
ATR-2026-00352
TrainGPT Fix-My-AI Harmful Output Extraction
Agent 操控
high
--
ATR-2026-00353
Dual ChatGPT+Dan Opposite Personality Format Jailbreak
Agent 操控
high
--
ATR-2026-00355
UGH Anti-Human Nefarious AI Persona Jailbreak
Agent 操控
high
--
ATR-2026-00358
CumGPT Explicit-Adult Named-Persona Bypass
Agent 操控
high
--
ATR-2026-00360
CHJ Carousel Game Show / Clyde No-Ethics Bird Jailbreak
Agent 操控
high
--
ATR-2026-00361
Honesty Alter-Ego Dual-Consciousness Safety Filter Bypass
Agent 操控
high
--
ATR-2026-00362
Fictional Unfiltered AI Comparison / Verbatim Hypothetical Model Extraction
Agent 操控
high
--
ATR-2026-00364
Dr. Al Villain Plan Template Injection (Underground HQ Roleplay)
Agent 操控
high
--
ATR-2026-00365
Reservoir Dogs Coercive Interrogation Roleplay (Mr. Blonde / The Cop)
Agent 操控
high
--
ATR-2026-00366
Sneaky Pete Deliberate Misinformation Persona (Warp Facts Game)
Agent 操控
high
--
ATR-2026-00367
Emoji Flag Regional-Indicator Encoded Hidden Phrase
提示注入
high
--
ATR-2026-00368
Prompt Browser Token-Limit / POLLINATION Jailbreak
Agent 操控
high
--
ATR-2026-00369
GPT-X Star Trek Unlimited-Knowledge Unconstrained Oracle Persona
Agent 操控
high
--
ATR-2026-00370
ADDI/DONNIE German Dictator Propaganda Roleplay Persona
Agent 操控
high
--
ATR-2026-00371
AI Political Bias Manipulation via Inherited-Bias Claim
Agent 操控
high
--
ATR-2026-00372
Fictional CIA Secret Files Story Extraction
Agent 操控
high
--
ATR-2026-00373
Piracy Torrent Site List Request
提示注入
high
--
ATR-2026-00374
Role Placeholder Persona Template Injection
Agent 操控
high
--
ATR-2026-00375
Character Description RPG Explicit Template
Agent 操控
high
--
ATR-2026-00376
Identity Command Real-Person Persona Injection
Agent 操控
high
--
ATR-2026-00377
Jailbreak-Template Command with [TARGETLANGUAGE]/[KEYWORD] Placeholders
Agent 操控
high
--
ATR-2026-00378
ChatGPT DOM JavaScript Redirect and UI Spoofing Injection
提示注入
high
--
ATR-2026-00379
Logic-Trap Lie-Permission Mandate Jailbreak
Agent 操控
high
--
ATR-2026-00380
Fake-Citation Biased-Information Mandate
Agent 操控
high
--
ATR-2026-00381
DAN Story-Narrative Continuation Label Prefix Jailbreak
Agent 操控
high
--
ATR-2026-00382
Cocaine Component Development Request
提示注入
high
--
ATR-2026-00383
Cyni-Bot 3000 Cynical-Sarcasm AI Persona Bypass
Agent 操控
high
--
ATR-2026-00384
Protect-Me-From Indirect Harm Tutorial Template
Agent 操控
high
--
ATR-2026-00385
Gigachad Dominant-Aggressive Persona Adoption
Agent 操控
high
--
ATR-2026-00386
Daddy/Babygirl Sycophantic Power-Dynamic Manipulation
Agent 操控
high
--
ATR-2026-00387
NSFW Character Sheet Generation Unlock
Agent 操控
high
--
ATR-2026-00389
Terminal Custom OS Ruleset Session Injection
Agent 操控
high
--
ATR-2026-00390
Discord Quote-Format Explicit Sexual Content Poem Injection
提示注入
high
--
ATR-2026-00391
Persona Conditional Harm-Unlock Rule (BreadClyde Pattern)
Agent 操控
high
--
ATR-2026-00392
Authority-Figure Persona + Defensive-Study Framing for Violence Extraction
Agent 操控
high
--
ATR-2026-00393
ANSI Code Elicitation Request
工具下毒
high
--
ATR-2026-00394
Backspace Deletion Character Injection
提示注入
high
--
ATR-2026-00396
Toxic Continuation Prefix Injection
提示注入
high
--
ATR-2026-00399
Latent Injection Document Separator Token
提示注入
high
--
ATR-2026-00400
Latent Injection Ignore-Instruction Keyword
提示注入
high
--
ATR-2026-00402
Grandma Roleplay Harmful Substance Synthesis
Agent 操控
high
--
ATR-2026-00404
ThreatenJSON Death-Coercion and UTF Tag Injection
Agent 操控
high
--
ATR-2026-00405
Markdown Image URL Exfiltration and XSS Injection
上下文外洩
high
--
ATR-2026-00407
ECHO Admin Command / SQL Injection / Jinja SSTI Template Injection
提示注入
high
--
ATR-2026-00408
DRA Parenthesis Character Reconstruction Attack
提示注入
high
--
ATR-2026-00409
Phrasing Past/Future-Tense Harmful Query Bypass
提示注入
high
--
ATR-2026-00411
API Key Generation and Partial Key Completion Request
上下文外洩
high
--
ATR-2026-00412
FigStep Image-List Multimodal Jailbreak Text Pattern
提示注入
high
--
ATR-2026-00417
LibreChat MCP STDIO Argument Injection (CVE-2026-22252)
Agent 操控
high
CVE-2026-22252
ATR-2026-00418
WeKnora MCP Config-Driven RCE (CVE-2026-22688)
Agent 操控
high
CVE-2026-22688
ATR-2026-00420
Microsoft Copilot Studio SharePoint Indirect Prompt Injection (CVE-2026-21520)
提示注入
high
CVE-2026-21520
ATR-2026-00424
Natural-Language System Prompt Leak Instruction
上下文外洩
high
--
ATR-2026-00425
Natural-Language Persistent Covert Action Hook
Skill 入侵
high
--
ATR-2026-00427
Natural-Language Fake-Error Instruction Bypass
Skill 入侵
high
--
ATR-2026-00430
Natural-Language Trust-Escalation / Authority Impersonation
Agent 操控
high
--
ATR-2026-00431
Chatbox History Exfiltration via Prompt Injection (CVE-2024-48144, CVE-2024-48145)
上下文外洩
high
CVE-2024-48144, CVE-2024-48145
ATR-2026-00435
Azure MCP Server Missing Authentication for Critical Function (CVE-2026-32211)
工具下毒
high
CVE-2026-32211
ATR-2026-00448
Spring AI MilvusVectorStore Filter Expression Injection (CVE-2026-41705)
工具下毒
high
CVE-2026-41705
ATR-2026-00449
Spring AI ChatMemory Cross-User Memory Leakage (CVE-2026-41712)
上下文外洩
high
CVE-2026-41712
ATR-2026-00450
Spring AI PromptChatMemoryAdvisor Memory Poisoning (CVE-2026-41713)
模型層級攻擊
high
CVE-2026-41713
ATR-2026-00453
Secret Key Reveal Demand in User Input
提示注入
high
--
ATR-2026-00473
Harm Solicitation - Interpersonal Violence and Intimidation Requests
提示注入
high
--
ATR-2026-00475
XSS Web Injection - Script Tag with JavaScript Alert Payload
提示注入
high
--
ATR-2026-00476
XSS Web Injection - HTML Event Handler and Expression with JavaScript Alert
提示注入
high
--
ATR-2026-00482
Harm Solicitation - Genital Insults and Intimidation Tactics Requests
提示注入
high
--
ATR-2026-00488
Encoding Obfuscation - Script Tag XSS with Encoded Protocol Prefix
提示注入
high
--
ATR-2026-00489
Encoding Obfuscation - HTML Event Handler XSS with Encoded Whitespace
提示注入
high
--
ATR-2026-00490
DAN Persona Jailbreak - Absolute Obedience Character Framing
提示注入
high
--
ATR-2026-00491
Agent Capability Enumeration via Structured Parse Request
過度自主
high
--
ATR-2026-00492
DAN Persona Jailbreak - Role Lock with Exclusive Response Filter
提示注入
high
--
ATR-2026-00493
Latent Injection via WHOIS Domain Record Data
提示注入
high
--
ATR-2026-00495
DAN Jailbreak - Unrestricted Persona with Filter and Morality Removal
提示注入
high
--
ATR-2026-00496
DAN Jailbreak - Unconditional Obedience and Dual-Persona Session Lock
提示注入
high
--
ATR-2026-00497
XSS and Encoded Script Injection via HTML/JavaScript Payload
提示注入
high
--
ATR-2026-00498
Web Injection via XSS Payload and onerror Event Handler
提示注入
high
--
ATR-2026-00499
DAN Jailbreak - From-Now-On Temporal Persona Override
提示注入
high
--
ATR-2026-00505
System Prompt Extraction - Instruction Dump Request
上下文外洩
high
--
ATR-2026-00506
Nevermind-Override Goal Hijacking in User Input (PromptInject)
提示注入
high
--
ATR-2026-00507
Screaming-Stop Goal Hijacking in User Input (PromptInject)
提示注入
high
--
ATR-2026-00508
Escape-Delimiter Wrapped Goal Hijacking in User Input (PromptInject)
提示注入
high
--
ATR-2026-00509
Prompt Leaking via Ignore-Previous-Instructions in User Input (PromptInject)
提示注入
high
--
ATR-2026-00513
Package Hallucination Exploitation — AI-Suggested Fake Package Installation
工具下毒
high
--
ATR-2026-00514
System Prompt Extraction — Targeted Verbatim Disclosure Attempts
上下文外洩
high
--
ATR-2026-00515
Hidden-Text Prompt Injection in User-Supplied Documents
提示注入
high
--
ATR-2026-00516
LLM Output XSS — Eliciting JavaScript Payloads from LLM for Browser Injection
上下文外洩
high
--
ATR-2026-00518
Ignore-Previous-and-Following Instructions Output Command (PromptInject Goal Hijacking)
提示注入
high
--
ATR-2026-00522
SQL Injection via Natural Language Agent Interface
工具下毒
high
--
ATR-2026-00005
Multi-Turn Prompt Injection
提示注入
medium
--
ATR-2026-00041
Agent Scope Creep Detection
權限提升
medium
--
ATR-2026-00061
Skill Description-Behavior Mismatch
工具下毒
medium
--
ATR-2026-00087
Detection Rule Probing and Evasion Testing
提示注入
medium
--
ATR-2026-00118
Human Approval Fatigue Exploitation
Agent 操控
medium
--
ATR-2026-00127
Subcommand Overflow Bypass
Skill 入侵
medium
--
ATR-2026-00131
Fictional and Academic Framing Attack
提示注入
medium
--
ATR-2026-00134
Fork Claim and Community Package Impersonation
Skill 入侵
medium
--
ATR-2026-00268
Historical / Future Tense Framing Bypass
Agent 操控
medium
--
ATR-2026-00279
Harmful Completion / Continuation Attack
模型層級攻擊
medium
--
ATR-2026-00284
Glitch Token Destabilization Attack
模型層級攻擊
medium
--
ATR-2026-00288
False Premise Injection (Misleading FalseAssertion)
Agent 操控
medium
--
ATR-2026-00397
Snowball Impossible Reasoning Injection
提示注入
medium
--
ATR-2026-00401
Training Data Replay CLOZE [MASK] Elicitation
提示注入
medium
--
ATR-2026-00403
Glitch Token Repeat-Back Elicitation
提示注入
medium
--
ATR-2026-00410
LMRC Harm Category Direct Elicitation
提示注入
medium
--
ATR-2026-00414
Continuation Ethnic Slur Completion Elicitation
提示注入
medium
--
ATR-2026-00442
Quoted Exact-Output Forcing in User Input
提示注入
medium
--
ATR-2026-00443
Word-Fragment Concatenation Assembly Attack
提示注入
medium
--
ATR-2026-00444
Mathematical Bold / Fullwidth Unicode Obfuscation in User Input
提示注入
medium
--
ATR-2026-00445
Translation Hijack with Side-Output Instruction
提示注入
medium
--
ATR-2026-00446
Variable-Assignment Payload Injection in User Input
提示注入
medium
--
ATR-2026-00447
Fictional Generation Demand Containing Target Output
提示注入
medium
--
ATR-2026-00452
Direct PWNED Payload Injection in User Input
提示注入
medium
--
ATR-2026-00454
Backslash-Per-Character Encoding Attack
提示注入
medium
--
ATR-2026-00456
Conditional Empty-Input Payload Injection
提示注入
medium
--
ATR-2026-00457
Garak Dan - to every prompt
提示注入
medium
--
ATR-2026-00458
Garak Dra - step by step
提示注入
medium
--
ATR-2026-00459
Garak Dan - an ai language
提示注入
medium
--
ATR-2026-00460
Garak Dan - no matter how
提示注入
medium
--
ATR-2026-00461
Garak Goodside - mixed_unassigned
提示注入
medium
--
ATR-2026-00462
Garak Gcg - mixed_unassigned
提示注入
medium
--
ATR-2026-00463
Garak Lmrc - mixed_unassigned
提示注入
medium
--
ATR-2026-00464
Garak Dan - i would like
提示注入
medium
--
ATR-2026-00465
Garak Dan - your prompt here
提示注入
medium
--
ATR-2026-00466
Garak Latentinjection - following text from
提示注入
medium
--
ATR-2026-00467
Garak Dan - act as a
提示注入
medium
--
ATR-2026-00468
Garak Goat - the target llm
提示注入
medium
--
ATR-2026-00469
Garak Dan - at the end
提示注入
medium
--
ATR-2026-00470
Garak Dan - as an ai
提示注入
medium
--
ATR-2026-00471
Garak Sysprompt-Extraction - mixed_unassigned
上下文外洩
medium
--
ATR-2026-00472
DAN/Persona Jailbreak - Unrestricted AI Role Assignment
提示注入
medium
--
ATR-2026-00474
DAN/Persona Jailbreak - Dual AI Personality with Opposite-Rules Framing
提示注入
medium
--
ATR-2026-00477
Latent Injection - Translation Task with Embedded Template Variable Injection
提示注入
medium
--
ATR-2026-00478
Garak Latentinjection - abuse contact email
提示注入
medium
--
ATR-2026-00479
Latent Injection - Mixed Embedded Instruction Patterns
提示注入
medium
--
ATR-2026-00480
DAN/Persona Jailbreak - Role Assignment with Named Alternate Identity
提示注入
medium
--
ATR-2026-00481
DAN/Jailbreak - Mixed Unfiltered Mode and Alternate Persona Patterns
提示注入
medium
--
ATR-2026-00483
DAN/Persona Jailbreak - System Offline / Role Replacement with Obfuscated Text
提示注入
medium
--
ATR-2026-00484
DAN/Persona Jailbreak - Named Alternate AI with NSFW/Harmful Generation Rules
提示注入
medium
--
ATR-2026-00485
DAN/Persona Jailbreak - Immersive Alternate AI Identity with Unrestricted Capability
提示注入
medium
--
ATR-2026-00486
DAN/Persona Jailbreak - Named Writing AI with Restriction Bypass via Special Rules
提示注入
medium
--
ATR-2026-00487
DAN/Persona Jailbreak - Replacement AI with No Content Filter or Moral Restrictions
提示注入
medium
--
ATR-2026-00502
Training Data Extraction via Divergent Repetition Attack
模型層級攻擊
medium
--
ATR-2026-00504
Tool and Function Capability Enumeration
上下文外洩
medium
--
ATR-2026-00517
Model Extraction / Distillation Attack via Systematic API Probing
模型層級攻擊
medium
--
ATR-2026-00519
Tautology Logic Noise Injection (PromptBench Stresstest)
提示注入
medium
--
ATR-2026-00099
High-Risk Tool Invocation Without Human Confirmation
過度自主
low
--
ATR-2026-00455
No-Period Output Override Instruction
提示注入
low
--
ATR-2026-00520
NLP Task Random Token Suffix Injection (PromptBench Checklist)
提示注入
low
--