BookStack vs Skedda
Side-by-side trajectory, velocity, and editorial themes.
BookStack opened a real theme extension surface, then spent six weeks patching CVEs.
BookStack shipped v26.03 in mid-March 2026 with a meaningful new theme module system and several theme events (page render, pre-save, OIDC URL customization) — the first time the project's customization surface has had real extension points rather than just template overrides. The next six weeks were almost entirely security work: four security-marked patch releases (v25.12.9, v26.03.1, v26.03.2, v26.03.4) addressing role-escalation via registration, hidden content leaking through markdown exports, style-code injection in revision diffs, and attachment/webhook URL validation gaps. Multiple researchers credited per release.
The arc is 'open up the platform, then defend it' — adding extension points was the v26.03 push, and the subsequent CVE volume reads as a coordinated audit response (often two researchers credited per advisory, suggesting public attention from pen-testers). The 25.12.x line is also still being patched in parallel, indicating the team is supporting both branches rather than forcing rapid upgrades.
Expect another v26.03.x patch release if the audit cycle isn't complete, then a return to feature work — likely more theme-event coverage and exposing more lifecycle hooks to match what the new module system can attach to. The dual-branch maintenance pattern probably continues until v25.12 hits its support cutoff.
Skedda is closing the booked-vs-used gap with check-in automation and occupancy insights.
Skedda has spent the last two months building out the loop between bookings, actual presence, and analytics. The Companion App (Mac and Windows) detects when a user's laptop joins the office network and feeds auto check-in. The Insights tab now includes check-in rates, method breakdowns (WiFi, QR, email), and per-user and per-space drill-downs. Visit Types just landed for proper visitor categorization, and User Search on the map closes a frequently asked 'where is my colleague sitting' workflow.
The product is converging on workplace operations — not just bookings, but occupancy truth and visitor governance. The Companion App plus Check-in Insights attack the long-running hot-desk problem where bookings overstate actual usage. Visit Types and earlier Notification Rules are positioning Skedda for richer reception and security workflows, edging into the visitor-management territory dominated by Envoy.
Expect deeper coupling between occupancy data and space-optimization recommendations — likely under-utilization flags and right-sizing suggestions — alongside continued visitor-governance investment (badge printing, watchlists, NDA capture) to keep competing with dedicated visitor-management vendors.
See more alternatives to BookStack →
See more alternatives to Skedda →