Kanboard vs Aha!
Side-by-side trajectory, velocity, and editorial themes.
Kanboard is on a year-long security-hardening run, sweeping the codebase one attack class at a time.
Kanboard's last six releases read as a single sustained security audit: parameterized queries replacing raw SQL, SSRF protection for webhooks, LDAP injection escapes, timing-safe token comparisons, CSRF for project role changes, comment-visibility enforcement for unauthenticated users, and removal of unsafe deserialization paths (file cache driver, legacy serialized events). Feature work continues in parallel — RTL support, Arabic translation, sub-task counts, bulk tag operations — but is clearly secondary to the hardening arc.
The team is methodically working through input surfaces (LDAP, headers, webhooks, file uploads, redirect targets) and output surfaces (comments, exports, API responses) to close authorization and injection gaps. This is mature-project hygiene, not pivot work — Kanboard is positioning itself as an audit-ready self-hostable kanban for organizations with security review checklists. PHP 8.1 is now the floor; the codebase is being modernized alongside the hardening.
Expect the security cadence to continue with one to two more releases focused on remaining trust boundaries, then a feature-weighted release picking up RTL/locale follow-ons and possibly the long-promised SQLite/Postgres parity work hinted at by recent Docker Compose additions.
Aha! Builder is reshaping the product — prototypes, databases, and an MCP server land in the same week.
Aha! is shipping at a daily cadence and pushing in two directions simultaneously. First, the Builder surface is being fleshed out into a full prototype-and-validate environment: built-in databases with preview/production split, in-app feedback widgets, prototypes saved as records linked to product work, AI-assisted feature mockups. Second, AI is being layered across the existing PM workflow — an MCP server that exposes Aha! data to Claude, ChatGPT, and Copilot; AI-built customer-insights reports; AI-assisted roadmap presentations. A new HubSpot integration on the Ideas side rounds out the recent moves.
Aha! is positioning to defend its roadmap-software seat against AI-native challengers (the Productboard comparison post is a tell) by becoming the layer where product managers prototype, validate with users, and connect the result back to the roadmap. The Builder line is the strategic bet — taking PMs out of Figma/Retool tooling and keeping them in Aha!. The MCP server matters in parallel: it positions Aha! as a data source for any agent runtime, not just as a destination workflow tool.
Expect Aha! Builder to be packaged as a standalone SKU (or upgraded tier) within the next quarter, given how complete the prototype-database-feedback loop now is. The MCP server is likely the first of several agent-integration surfaces; a second wave will probably target Linear/Jira-style sync agents that bridge Aha! into engineering execution tools.
See more alternatives to Kanboard →
See more alternatives to Aha! →