Kanboard vs Sunsama
Side-by-side trajectory, velocity, and editorial themes.
Kanboard is on a year-long security-hardening run, sweeping the codebase one attack class at a time.
Kanboard's last six releases read as a single sustained security audit: parameterized queries replacing raw SQL, SSRF protection for webhooks, LDAP injection escapes, timing-safe token comparisons, CSRF for project role changes, comment-visibility enforcement for unauthenticated users, and removal of unsafe deserialization paths (file cache driver, legacy serialized events). Feature work continues in parallel — RTL support, Arabic translation, sub-task counts, bulk tag operations — but is clearly secondary to the hardening arc.
The team is methodically working through input surfaces (LDAP, headers, webhooks, file uploads, redirect targets) and output surfaces (comments, exports, API responses) to close authorization and injection gaps. This is mature-project hygiene, not pivot work — Kanboard is positioning itself as an audit-ready self-hostable kanban for organizations with security review checklists. PHP 8.1 is now the floor; the codebase is being modernized alongside the hardening.
Expect the security cadence to continue with one to two more releases focused on remaining trust boundaries, then a feature-weighted release picking up RTL/locale follow-ons and possibly the long-promised SQLite/Postgres parity work hinted at by recent Docker Compose additions.
Sunsama ships Task Priority + Auto-Sort and starts wiring Sunny into MCP — daily planning gets opinionated.
Sunsama is in steady weekly-release cadence, with the bulk of recent work concentrated in two places: the Task Priority + Auto-Sort system, which has just graduated from beta into a documented core feature, and the Sunny AI assistant, which is gaining persistent memory and MCP-callable primitives like get_task_by_id. The integration surface continues to deepen — Linear, Todoist, Jira, Asana imports now carry priority signal through into Sunsama's own model.
The product is moving from 'manual daily planner' toward 'opinionated planner that can be driven by Sunny or external agents.' Auto-Sort is the most telling move: Sunsama is now willing to reorder the user's day on its own based on priority and scheduled time, which is a philosophical step away from the manual drag-and-drop heritage. The MCP work signals they want Sunsama to be addressable by other AI tools — not just consumed via the Sunny UI.
Expect the next few weekly drops to expand Sunny's MCP toolset (write actions, not just reads) and to roll priority rollover into more of the integration importers. A 'Sunny plans your day' end-to-end flow that leans on the new priority + auto-sort plumbing is the natural next milestone.
See more alternatives to Kanboard →
See more alternatives to Sunsama →