Kanboard vs SmartSuite
Side-by-side trajectory, velocity, and editorial themes.
Kanboard is on a year-long security-hardening run, sweeping the codebase one attack class at a time.
Kanboard's last six releases read as a single sustained security audit: parameterized queries replacing raw SQL, SSRF protection for webhooks, LDAP injection escapes, timing-safe token comparisons, CSRF for project role changes, comment-visibility enforcement for unauthenticated users, and removal of unsafe deserialization paths (file cache driver, legacy serialized events). Feature work continues in parallel — RTL support, Arabic translation, sub-task counts, bulk tag operations — but is clearly secondary to the hardening arc.
The team is methodically working through input surfaces (LDAP, headers, webhooks, file uploads, redirect targets) and output surfaces (comments, exports, API responses) to close authorization and injection gaps. This is mature-project hygiene, not pivot work — Kanboard is positioning itself as an audit-ready self-hostable kanban for organizations with security review checklists. PHP 8.1 is now the floor; the codebase is being modernized alongside the hardening.
Expect the security cadence to continue with one to two more releases focused on remaining trust boundaries, then a feature-weighted release picking up RTL/locale follow-ons and possibly the long-promised SQLite/Postgres parity work hinted at by recent Docker Compose additions.
SmartSuite is rewiring its core primitives for ITSM, GRC, and structured service-desk work.
Two dense release waves in early and mid May target a clear set of buyers: service desks, governance/risk/compliance teams, and PMO operators. Forms got a major upgrade — multi-page flows, a review step, table-display linked records, and a new Internal mode for authenticated in-app submissions. Around it, SmartSuite added a first-class Team field through to automations, dynamic-value URLs, cross-Solution calendar roll-ups, Solution-level restore, and a manual stop on AI Field Agents.
The product is moving past its general no-code positioning toward becoming the work platform of choice for structured operational teams. Internal Forms, the Team field across automations, and Solution-level governance features are exactly the surface a buyer evaluating ServiceNow alternatives or a lightweight GRC platform looks for. The AI Field Agent work continues but is taking a back seat to the operational plumbing that lets larger, more regulated teams adopt SmartSuite without bolt-ons.
Expect deeper SLA, approval workflow, and audit primitives next — the natural follow-ons once Team and Internal Forms are in place. A native service-portal experience or richer ITSM-flavoured templates would not be surprising in the next quarter.
See more alternatives to Kanboard →
See more alternatives to SmartSuite →