The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and ALLOW_FILE_URI false or not defined.
The check used for URL protocol, is_safe_url, allows file: as a URL scheme:
https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/model/Watch.py#L11-L13
It later checks if local files are permitted, but one of the preconditions for the check is that the URL starts with file://. The issue comes with the fact that the file URI scheme is not required to have double slashes.
A valid file URI must therefore begin with either
file:/path(no hostname),file:///path(empty hostname), orfile://hostname/path. — Wikipedia
https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/processors/init.py#L37-L41
file:/etc/passwd or a similar path for your operating system. Enable webdriver mode