BookStack vs Shortcut
Side-by-side trajectory, velocity, and editorial themes.
BookStack opened a real theme extension surface, then spent six weeks patching CVEs.
BookStack shipped v26.03 in mid-March 2026 with a meaningful new theme module system and several theme events (page render, pre-save, OIDC URL customization) — the first time the project's customization surface has had real extension points rather than just template overrides. The next six weeks were almost entirely security work: four security-marked patch releases (v25.12.9, v26.03.1, v26.03.2, v26.03.4) addressing role-escalation via registration, hidden content leaking through markdown exports, style-code injection in revision diffs, and attachment/webhook URL validation gaps. Multiple researchers credited per release.
The arc is 'open up the platform, then defend it' — adding extension points was the v26.03 push, and the subsequent CVE volume reads as a coordinated audit response (often two researchers credited per advisory, suggesting public attention from pen-testers). The 25.12.x line is also still being patched in parallel, indicating the team is supporting both branches rather than forcing rapid upgrades.
Expect another v26.03.x patch release if the audit cycle isn't complete, then a return to feature work — likely more theme-event coverage and exposing more lifecycle hooks to match what the new module system can attach to. The dual-branch maintenance pattern probably continues until v25.12 hits its support cutoff.
Shortcut redesigns its API for AI agents and pushes Korey beyond its own walls.
Shortcut is making concrete bets on agent-based work. API v4 entered alpha on May 12 with explicit framing around expanded capabilities and 'agent compatibility' — a positioning shift, not just a version bump. Their in-house AI assistant Korey is expanding outward: right-click access in February, then a dedicated Chrome extension in April that runs on any webpage. Around the strategic work, smaller improvements (Teams on Roadmap, March's SLA Alerts) keep shipping, alongside feed-noise from brand-guide pages being scraped as if they were releases.
Shortcut is positioning itself as the project-management surface that AI agents naturally operate against, not just a PM tool with AI features bolted on. Korey is being pushed from in-app helper toward general-purpose web assistant; the API is being redesigned with external agent consumers in mind. That's a coherent strategic stance the bigger PM players — Jira, Linear, Asana — have not yet made as explicitly. Underlying release cadence stays steady, suggesting these are strategic plays, not panicked pivots.
Expect API v4 to surface MCP-style tooling endpoints and structured action surfaces aimed squarely at agent frameworks. Korey's Chrome extension is likely a stepping stone toward a 'Korey anywhere' positioning — deeper integrations with browser, email, and calendar are the natural next dominoes.
See more alternatives to BookStack →
See more alternatives to Shortcut →