Vikunja vs Shortcut
Side-by-side trajectory, velocity, and editorial themes.
Vikunja crossed the v1.0 finish line and pivoted hard into security hardening.
Vikunja shipped two v1.0 release candidates through late 2025 and early 2026, then jumped to a v2 series whose first widely-tagged point release, v2.2.1, is dominated by security work. The latest release patches multiple SSRF and IDOR vulnerabilities, enforces disabled/locked-account semantics across every auth surface (OIDC, API tokens, CalDAV, LDAP), and adds a shared SSRF-safe HTTP client that webhooks and migrations now route through. User-facing feature work has slowed; the visible energy is in plumbing and audit cleanup.
The arc moves from feature-completion (S3 storage, drag-and-drop project moves, hover previews in late 2025) toward platform credibility — closing security gaps a self-hosted task tool needs to clear before serious team adoption. The rapid version-number jump from v1.0.0-rc4 to v2.2.1 in two months suggests v1.0 shipped and the team tagged a v2 line aimed at addressing accumulated authz debt. Expect the next several releases to keep the security-first posture rather than return to a feature push.
The next release will likely continue closing remaining authz edges (more IDOR audits, additional credential-stripping in API responses) and bundle a translations and dependency sweep. A user-facing feature push probably waits until the security work plateaus.
Shortcut redesigns its API for AI agents and pushes Korey beyond its own walls.
Shortcut is making concrete bets on agent-based work. API v4 entered alpha on May 12 with explicit framing around expanded capabilities and 'agent compatibility' — a positioning shift, not just a version bump. Their in-house AI assistant Korey is expanding outward: right-click access in February, then a dedicated Chrome extension in April that runs on any webpage. Around the strategic work, smaller improvements (Teams on Roadmap, March's SLA Alerts) keep shipping, alongside feed-noise from brand-guide pages being scraped as if they were releases.
Shortcut is positioning itself as the project-management surface that AI agents naturally operate against, not just a PM tool with AI features bolted on. Korey is being pushed from in-app helper toward general-purpose web assistant; the API is being redesigned with external agent consumers in mind. That's a coherent strategic stance the bigger PM players — Jira, Linear, Asana — have not yet made as explicitly. Underlying release cadence stays steady, suggesting these are strategic plays, not panicked pivots.
Expect API v4 to surface MCP-style tooling endpoints and structured action surfaces aimed squarely at agent frameworks. Korey's Chrome extension is likely a stepping stone toward a 'Korey anywhere' positioning — deeper integrations with browser, email, and calendar are the natural next dominoes.
See more alternatives to Vikunja →
See more alternatives to Shortcut →