[3] Polyglot files have practical applications in compatibility,[4] but can also present a security risk when used to bypass validation or to exploit a vulnerability.
A notable early example, named simply polyglot was published on the Usenet group rec.puzzles in 1991, supporting eight languages, though this was inspired by even earlier programs.
[6] In the 21st century, polyglot programs and files gained attention as a covert channel mechanism for propagation of malware.
This is often accomplished by hiding language-specific constructs in segments interpreted as comments or plain text of the other format.
In 2019, an evaluation of commercial anti-malware software determined that several such packages were unable to detect any of the polyglot malware under test.
[3][2] In 2019, the DICOM medical imaging file format was found to be vulnerable to malware injection using a PE-DICOM polyglot technique.
[14] The polyglot nature of the attack, combined with regulatory considerations, led to disinfection complications: because "the malware is essentially fused to legitimate imaging files", "incident response teams and A/V software cannot delete the malware file as it contains protected patient health information".
[16] This technique can be used to exploit security vulnerabilities, for example through uploading a GIFAR to a website that allows image uploading (as it is a valid GIF file), and then causing the Java portion of the GIFAR to be executed as though it were part of the website's intended code, being delivered to the browser from the same origin.