Kanboard vs Hostaway
Side-by-side trajectory, velocity, and editorial themes.
Kanboard is on a year-long security-hardening run, sweeping the codebase one attack class at a time.
Kanboard's last six releases read as a single sustained security audit: parameterized queries replacing raw SQL, SSRF protection for webhooks, LDAP injection escapes, timing-safe token comparisons, CSRF for project role changes, comment-visibility enforcement for unauthenticated users, and removal of unsafe deserialization paths (file cache driver, legacy serialized events). Feature work continues in parallel — RTL support, Arabic translation, sub-task counts, bulk tag operations — but is clearly secondary to the hardening arc.
The team is methodically working through input surfaces (LDAP, headers, webhooks, file uploads, redirect targets) and output surfaces (comments, exports, API responses) to close authorization and injection gaps. This is mature-project hygiene, not pivot work — Kanboard is positioning itself as an audit-ready self-hostable kanban for organizations with security review checklists. PHP 8.1 is now the floor; the codebase is being modernized alongside the hardening.
Expect the security cadence to continue with one to two more releases focused on remaining trust boundaries, then a feature-weighted release picking up RTL/locale follow-ons and possibly the long-promised SQLite/Postgres parity work hinted at by recent Docker Compose additions.
Hostaway pushes AI into the host inbox and starts pulling Booking.com management onto its own platform.
Hostaway is shipping at high cadence across three threads: AI-driven inbox triage (sentiment scoring, automatic escalations) on both web and mobile, finance and reporting depth (multi-unit reporting, owner-statement email delivery), and channel control (Booking.com Content Sync Phase 1, Booking Website Pro for direct bookings). The mobile app is closing parity gaps quickly, with custom field editing and bulk pricing now on-device.
The recent pattern points to Hostaway positioning as the operations hub property managers run their entire portfolio from — including direct bookings — rather than just a property management system feeding the OTA channels. AI Sentiment and Escalations is the most directional move; it changes how hosts triage messages and is built to compound into a fuller assistant surface. The Booking.com sync is a structural play to reduce dependence on the OTA's own admin.
Phase 2 of Booking.com sync (rates, availability, deeper extranet parity) is the obvious next ship. Expect the AI inbox surface to gain auto-reply suggestions and automated guest-issue resolution flows on top of the existing sentiment scoring. Direct booking will continue to be invested in given the new Booking Website Pro line.
See more alternatives to Kanboard →
See more alternatives to Hostaway →