Standard vBulletin will not allow for inline display of any unsafe attachment type. This includes .SWF. If inline viewing of a potential unsafe attachment type is allowed, then this is either done by a modification or by a custom BB-code. If the attachment can only be downloaded (like with default vBulletin), then it can never execute any code inside the webserver scope. Conclusion: There is no vulnerability in vBulletin and this is a bogus report.