Kanboard vs Shortcut
Side-by-side trajectory, velocity, and editorial themes.
Kanboard is on a year-long security-hardening run, sweeping the codebase one attack class at a time.
Kanboard's last six releases read as a single sustained security audit: parameterized queries replacing raw SQL, SSRF protection for webhooks, LDAP injection escapes, timing-safe token comparisons, CSRF for project role changes, comment-visibility enforcement for unauthenticated users, and removal of unsafe deserialization paths (file cache driver, legacy serialized events). Feature work continues in parallel — RTL support, Arabic translation, sub-task counts, bulk tag operations — but is clearly secondary to the hardening arc.
The team is methodically working through input surfaces (LDAP, headers, webhooks, file uploads, redirect targets) and output surfaces (comments, exports, API responses) to close authorization and injection gaps. This is mature-project hygiene, not pivot work — Kanboard is positioning itself as an audit-ready self-hostable kanban for organizations with security review checklists. PHP 8.1 is now the floor; the codebase is being modernized alongside the hardening.
Expect the security cadence to continue with one to two more releases focused on remaining trust boundaries, then a feature-weighted release picking up RTL/locale follow-ons and possibly the long-promised SQLite/Postgres parity work hinted at by recent Docker Compose additions.
Shortcut redesigns its API for AI agents and pushes Korey beyond its own walls.
Shortcut is making concrete bets on agent-based work. API v4 entered alpha on May 12 with explicit framing around expanded capabilities and 'agent compatibility' — a positioning shift, not just a version bump. Their in-house AI assistant Korey is expanding outward: right-click access in February, then a dedicated Chrome extension in April that runs on any webpage. Around the strategic work, smaller improvements (Teams on Roadmap, March's SLA Alerts) keep shipping, alongside feed-noise from brand-guide pages being scraped as if they were releases.
Shortcut is positioning itself as the project-management surface that AI agents naturally operate against, not just a PM tool with AI features bolted on. Korey is being pushed from in-app helper toward general-purpose web assistant; the API is being redesigned with external agent consumers in mind. That's a coherent strategic stance the bigger PM players — Jira, Linear, Asana — have not yet made as explicitly. Underlying release cadence stays steady, suggesting these are strategic plays, not panicked pivots.
Expect API v4 to surface MCP-style tooling endpoints and structured action surfaces aimed squarely at agent frameworks. Korey's Chrome extension is likely a stepping stone toward a 'Korey anywhere' positioning — deeper integrations with browser, email, and calendar are the natural next dominoes.
See more alternatives to Kanboard →
See more alternatives to Shortcut →