BookStack vs Notion
Side-by-side trajectory, velocity, and editorial themes.
BookStack opened a real theme extension surface, then spent six weeks patching CVEs.
BookStack shipped v26.03 in mid-March 2026 with a meaningful new theme module system and several theme events (page render, pre-save, OIDC URL customization) — the first time the project's customization surface has had real extension points rather than just template overrides. The next six weeks were almost entirely security work: four security-marked patch releases (v25.12.9, v26.03.1, v26.03.2, v26.03.4) addressing role-escalation via registration, hidden content leaking through markdown exports, style-code injection in revision diffs, and attachment/webhook URL validation gaps. Multiple researchers credited per release.
The arc is 'open up the platform, then defend it' — adding extension points was the v26.03 push, and the subsequent CVE volume reads as a coordinated audit response (often two researchers credited per advisory, suggesting public attention from pen-testers). The 25.12.x line is also still being patched in parallel, indicating the team is supporting both branches rather than forcing rapid upgrades.
Expect another v26.03.x patch release if the audit cycle isn't complete, then a return to feature work — likely more theme-event coverage and exposing more lifecycle hooks to match what the new module system can attach to. The dual-branch maintenance pattern probably continues until v25.12 hits its support cutoff.
Notion turns itself into the orchestration layer where other agents run.
Notion has shipped a full developer platform — Workers as a hosted runtime, External Agents API for Claude/Codex/Decagon, a CLI, inbound webhooks, and an Agent SDK. The Custom Agents beta has produced more than a million agents in two months, and the latest releases are about turning that surge into something enterprises will actually deploy: per-agent credit limits, workspace caps, admin dashboards, and a Library directory. Doc editing has become the visible surface; the engine being built underneath is agent and data plumbing.
The trajectory is from doc-and-database app to connective tissue between agents, SaaS APIs, and team workflows. Each recent release pushes in the same direction — agents become more discoverable (Directory), more reviewable before they act (Plan Mode), more governable at scale (admin controls), and more capable of reaching outside Notion (Agent SDK, webhooks). The strategic bet is that whoever owns the orchestration substrate matters more than whoever ships the smartest model.
Expect Workers to convert from free-beta to credit-metered on August 11, 2026, with pricing pressure landing on agent-SaaS startups whose value is mostly API stitching. The External Agents API and Agent SDK should move from waitlist to GA next, alongside deeper Slack/MS Teams surfaces where Notion agents run without users ever opening Notion.
See more alternatives to BookStack →
See more alternatives to Notion →